PACKAGE  DELI''ER\ 

Simplifying  Linux  installations  will 
be  a  priority  at  LinuxWoiid.  page  6 
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An  employee  unin¬ 
tentionally  trans¬ 
mits  a  computer 
virus  to  a  business 
partner,  and  it  causes 
thousands  of  dollars  in 
damage.  Is  your  com¬ 
pany  liable?  Some  legal 
experts  predict  that 
you  may  be  hauled 
into  court  to  find 
out.  Page  37 
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Cisco  Raw  Raises  Concerns, 
But  Attacks  Deemed  Difficult 

IT  managers  put  trust  in  defensive  measures; 
router  vulnerability  seen  as  complex  to  exploit 


BY  JAIKUMAR  VIJAYAN 

The  public  demonstration  of 
an  attack  against  a  Cisco  Sys¬ 
tems  Inc.  router  at  last  month’s 
Black  Hat  USA  conference 


showed  that  a  core  part  of  cor¬ 
porate  networks  may  be  more 
vulnerable  to  hackers  than 
many  users  had  assumed. 

But,  IT  managers  and  secu¬ 


rity  analysts  said  last  week, 
companies  that  follow  recom¬ 
mended  practices  for  securing 
their  networks  should  be  rea¬ 
sonably  well  protected  despite 
the  fact  that  attackers  now 
have  information  on  how  to 
shut  down  routers  by  exploit¬ 
ing  a  previously  disclosed 
software  flaw. 

“In  the  end,  the  Cisco  case 
is  no  different  than  [a  hack 
against]  a  Microsoft  or  Unix 
box,”  said  Andreas  Wuchner- 
Bruhl,  head  of  global  IT  secu¬ 
rity  at  Novartis  Pharma  AG,  a 
Cisco  Flaw,  page  52 


MORE  INSIDE 

Cisco  resets  user  passwords  on  its  Web 
site  because  of  a  search  engine  flaw: 
Microsoft  says  hackers  have  bypassed 
Its  new  antipiracy  check.  Page  52 


Sarbanes-Oxley 
Trumps  IM  at 
Some  Firms 

Concerns  about  security,  archiving  prompt 
companies  to  unplug  instant  messaging  systems 


BY  THOMAS  HOFFMAN 

In  another  case  of  fallout  from 
the  passage  of  the  Sarbanes- 
Oxley  Act,  some  companies 
are  disabling  their  instant  mes¬ 
saging  systems  because  of  con¬ 
cerns  that  the  technology’s  se¬ 
curity  and  archival  controls 
aren’t  strong  enough  to 
comply  with  the  law,  ac¬ 
cording  to  IT  executives, 
lawyers  and  auditors  in¬ 
terviewed  last  week. 

Section  302  of  Sar¬ 
banes-Oxley  requires 
CEOs  and  chief  financial  offi¬ 
cers  to  certify  that  their  com¬ 
panies  have  established  inter¬ 
nal  controls  and  are  regularly 
evaluating  the  effectiveness  of 
the  control  measures.  Al- 

Users  Speed 
Feeds  to  Data 
Warehouses 

BY  HEATHER  HAVENSTEIN 

As  business  intelligence  be¬ 
comes  a  critical  component 
of  daily  operations,  real-time 
data  warehouses  that  can 
provide  end  users  with  rapid 
updates  from  transactional 
systems  are  increasingly 


though  vendors  such  as  Face- 
Time  Communications  Inc. 
and  IMlogic  Inc.  offer  tools  for 
storing  messaging  traffic  and 
protecting  against  malware, 
users  like  Jefferson  Wells  In¬ 
ternational  Inc.  are  erring  on 
the  side  of  caution  by  simply 
unplugging  their  IM 
systems. 

Jefferson  Wells  dis¬ 
connected  its  MSN 
Messenger  system  be¬ 
cause  of  concerns  that 
the  company  wouldn’t 
be  able  to  detect  software 
viruses  embedded  in  mes¬ 
sages,  said  Scott  Robertson, 
manager  of  corporate  IT  oper¬ 
ations  at  the  Brookfield,  Wis.- 
IM  Security,  page  16 

sprouting  up  at  companies. 

For  example,  online  retail¬ 
er  Overstock.com  Inc.  has 
begun  connecting  users  to  a 
real-time  data  warehouse  it 
completed  last  month.  The 
project’s  goal  is  to  help  em¬ 
ployees  gain  insight  into  the 
effectiveness  of  the  compa¬ 
ny’s  online  and  e-maU  ad¬ 
vertising  campaigns. 

Overstock  is  using  trans¬ 
actional  data  management 

Warehouses,  page  16 


Read  our  full 
Sarb-Ox 
coverage: 
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Business  Intelligence  made  a  promise:  to  make  it  simple  for  everyone  to  use  information  to  make 
better  decisions.  But,  given  your  complex  IT  infrastructure,  the  reality  of  getting  a  single  BI  standard 
in  place  across  the  company  has  been  anything  but  simple.  Until  now. 

>  Introducing  Cognos  8  Business  Intelligence,  the  one  solution  built  to  break  down  the  barriers  limiting 
BI’s  potential.  With  a  complete  Web  Services-based  SO  A.  A  simple  browser-based  interface.  A  full  range 
of  BI  capabilities  —  reporting,  analysis,  scorecarding,  dashboarding  and  more  —  all  in  a  single  product 
i  and  on  a  single  architecture.  And  the  BI  foundation  for  companies  demanding  a  simpler  path  to  a  complete 
performance  management  system. 

It’s  everything  BI  promised  to  be.  And  now,  it’s  here. 

Learn  more  today  at  cognos.com/simple 

rC^OGNOS  8  BUSINESS  INTELLIGENCE. 

Cijpyright  C  2005  Cognos  Incorporated.  All  rights  reserved. 
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THE  NEXT  LEVEL  OF  PERFORMANCE’" 


See  how-  MP  Services  and  HP  Consolidation  Solutions  con  help  you  by  downloading 
IT  Consolidation  on  the  HP  BladeSystem  dt  hp.com/info/blades 
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Solutions  for  the  adaptive  enterprise. 


action.  Reduced  processes.  Reduced 


cessors,  odd  efficiency,  flexibility^  and  contro\ 


Managing  ‘Prosumers’ 

In  the  Management  section:  Those  hotshot  new 
hires  come  with  handhelds  and  smart  phones  that 
you  haven’t  even  thought  about  dealing  with.  What 
will  you  do  about  standards,  security  and  costs? 

Page  40 
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Targeting  the  Enemy  Within 

In  the  Technology  section:  it’s  not  just  the  disgruntled 
or  careless  employee  who  poses  an  inside  security 
threat.  Companies  are  also  dealing  with  the  risks  cre¬ 
ated  by  suppliers,  partners  and  service  providers  with 
inside  access  to  enterprise  networks.  Page  23 
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6  Linux-based  systems  may 

become  easier  to  install  and 
manage  with  new  packaged 
options  that  major  vendors 
plan  to  announce  this  week. 

7  Large  companies  are  increas¬ 
ingly  outsourcing  human  re¬ 
sources  functions  and  IT 
rather  than  upgrading  their 
ERP  software. 

7  AT&T  will  offer  hosted  ser¬ 
vices  for  utility  computing 
and  server  virtualization. 

10  The  government’s  plan  to  of¬ 
fer  low-cost  software  to  small 
medical  practices  could  help 
large  health  care  systems  by 
promoting  the  use  of  electron¬ 
ic  health  records  industrywide. 

12  Computer  Associates  dis¬ 
closes  a  major  security  flaw  in 
its  data  backup  software,  and 
analysts  say  it’s  an  example  of 
just  how  vulnerable  storage 
software  is. 

12  Fujitsu  builds  a  notebook  PC 
that  can  be  converted  into  a 
tablet  device  for  use  in  health 
care  and  other  niche  markets. 

14  Global  Dispatches:  Oracle 
agrees  to  buy  majority  control 
of  a  banking  software  vendor 
based  in  India;  and  Sun  will 
open  a  data  center  in  Scotland 
for  remotely  managinig  cus¬ 
tomer  systems. 

14  IBM  ships  a  network-attached 
storage  device  made  by  Net¬ 
work  Appliance  and  will  re¬ 
place  its  own  NAS  line  with 
more  NetApp  models  in 
the  fall. 


28  Computerworld  Honors.  Case 
Study:  Homegrown  Grid.  A 

grid  computing  project  at  Acx- 
iom  speeds  dehvery  of  data  to 
the  company’s  business  clients. 

30  QuickStudy:  Markup  Lan¬ 
guages.  These  languages  use 
embedded  tags  to  character¬ 
ize  text  elements  within  a 
document  to  indicate  their 
function,  meaning  or  context. 

32  Security  Manager’s  Journal: 
Dealing  With  an  ISO  Who’s 
Only  So-So.  C.J.  Kelly  con¬ 
fronts  her  agency’s  informa¬ 
tion  security  officer,  who’s 
weak  in  most  techrdcal  areas. 

MANAGEMENT 

37  E-mail  Exposure.  Beware!  If 
your  employees  inadvertently 
pass  malware  to  other  compa¬ 
nies  via  e-mail,  you  could  find 
yourself  in  court. 

42  In  the  Dark.  Night-shift  work¬ 
ers  can  feel  isolated,  hostile 
and  just  plain  tired.  Here  are 
some  tips  for  keeping  them 
happy  and  productive. 

43  Q&A:  Throw  Out  the  Rules. 

Virtuoso  teams  have  talent, 
energy,  ambition,  intensity, 
ego  and  risk  —  all  in  spades. 
Boston  College’s  Andy  Boyn¬ 
ton  tells  how  to  manage  them. 

44  Career  Watch.  The  hiring  en¬ 
vironment  for  CIOs;  what  a 
rise  in  IT  pay  may  say  about 
offshore  outsourcing;  the  lat¬ 
est  on  tech  job  cuts;  and 
CEOs’  expectations  for  the 
economy. 


8  On  the  Mark:  Mark  Hall 

reports  on  a  consultant  who 
says  aging  IT  staffs  and  their 
favored  old  technologies  put 
many  companies  at  risk. 

20  Don  Tennant  looks  at  the  IT 
landscape  and  concludes  that 
we’re  likely  to  see  more  and 
more  start-ups  offering  Web- 
based,  on-demand  services. 

20  Julie  Silverstein  shares  some 
research  that  suggests  ways  to 
maintain  user  groups’  value 
for  members  and  vendors. 

21  Michael  Gartenberg  recon¬ 
siders  his  nostalgia  for  high- 
tech  stuff  of  days  gone  by. 

36  Curt  A.  Monash  thinks  the 
pure  relational  model  of  data¬ 
base  management  is  collaps¬ 
ing  and  must  be  replaced  with 
a  radically  different  view  of 
data  management. 

46  Bart  Perkins  recognizes  that 
business  people  can  be  reluc¬ 
tant  to  take  on  an  executive 
sponsor  role.  Don’t  let  them 
off  the  hook. 

54  Frankiy  Speaking:  Frank 
Hayes  says  competitive  ad¬ 
vantage  can  come  from  the 
way  software,  hardware,  net¬ 
works  and  practices  are  all 
put  together. 


DEPARTMENTS/RESOURCES 


At  Deadline  Briefs . 6 

News  Briefs . 8,12 

Letters . 21 

IT  Careers . 49 

Company  Index . 51 

How  to  Contact  CW . 51 

Shark  Tank  . 54 


QuickPoll  Results 


Should  mobile  phone  use 
be  allowed  on  airplanes? 


No.  couldn't 
stand  the 
thought 

55% 


Yes,  but  with 
restrictions 

23% 


O  Take  this  week's  QuickPoll  atwww.computerwortd.com. 

SOURCE:  COMPUTERWORLO.COM  NONSCIENTIFIC  SURVEY;  476  VOTES 


Are  We  Safer  Yet? 

SECURITY:  In  the  wake  of  the  release  of  infor¬ 
mation  on  Cisco’s  router  flaw,  security  ana¬ 
lyst  Pete  Lindstrom  asks  whether  companies 
or  the  Internet  are  safer.  Or  is  there  something 
else  we  should  be  doing?  O  QuickLink  55917 


Ten  Tips  for  Faster  Backups 

STORAGE:  By  following  these  simple  sugges¬ 
tions,  backup  managers  can  ease  many  of 
their  storage  headaches,  says  Robert  Farkaly 
of  Overland  Storage.  O  QuickLink  a8850 

Storage  Delivery  of  the  Future 

WEBCAST:  Hewlett-Packard  executive  Ann 
Livermore  discusses  the  relentless  move  to¬ 
ward  digital,  mobile  and  virtual  technologies. 
Presentation  recorded  at  Storage  Network¬ 
ing  World  Spring  2005. 0  QuickLink  a8840 


What’s  a  QuickLink? 


O  Throughout  each  issue  of 
Computerworld, 
see  five-digit  QuickLink  codes 
pointing  fo  related  content  on 
our  Web  site.  Also,  at  the  end  of 
each  story,  a  QuickLink  to  ttsai 
story  online  facilitates  sharirtg  it 
with  colleagues.  Just  enter  any 
of  those  codes  info  the  Quick¬ 
Link  box.  wtiich  is  at  the  top  of 
every  page  on  our  site. 
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rr  Gets  More  Packaged 
Options  for  Linux,  Grid 


Microsoft  Goes  to 
Wal-Mart  for  Exec 

Microsoft  Corp.  named  Kevin 
Turner,  a  40-year-old  executive 
from  Wal-Mart  Stores  Inc.,  to  fill 
its  chief  operating  officer  position. 
Turner  will  join  Microsoft  on  Sept. 
8  and  take  over  responsibility  for 
the  company’s  sales,  marketing 
and  services  organization  as  well 
as  its  fulfillment  and  IT  opera¬ 
tions.  He  was  Wal-Mart’s  CIO 
from  2000  to  2002  and  most  re¬ 
cently  was  president  and  CEO  of 
the  retailer’s  Sam’s  Club  division. 


Security  Vendor:  ID 
Theft  Ring  at  Work 

Sunbelt  Software  Distribution 
Inc.,  a  vendor  of  antispyware 
tools  in  Clearwater,  Fla.,  said  it 
stumbled  upon  an  identity  theft 
ring  that’s  using  a  spyware  pro¬ 
gram  to  systematically  break  into 
and  steal  confidential  information 
from  computers.  The  data  is  being 
uploaded  to  a  remote  server  that 
appears  to  be  located  in  the  U.S., 
Sunbelt  said,  adding  that  it  has 
notified  the  FBI.  Officials  at  the 
FBI  couldn’t  be  reached  for  com¬ 
ment  on  Friday. 


Six  Security  Fixes 
Due  for  Windows 

Microsoft  said  it  plans  to  release 
six  software  patches  to  address 
security  flaws  in  Windows  tomor¬ 
row  as  part  of  its  monthly  update 
process.  The  company  didn’t  re¬ 
lease  details,  except  to  say  that 
some  of  the  vulnerabilities  will  be 
given  “critical”  ratings.  Microsoft 
will  also  issue  an  updated  version 
of  its  malware  removal  tool  and  a 
Windows  update  that  doesn’t  re¬ 
late  to  any  security  holes. 

Short  Takes 

NEC  CORP.  said  it  has  developed  a 
rechargeable  battery  made  from 
organic  compounds  instead  of 
hazardous  materials  like  lithium. 

. . .  SPRINT  CORP.  and  NEXTEL 
COMMUNICATIONS  INC.  said  the 
Federal  Communications  Com¬ 
mission  approved  their  merger. 


Dell,  ffiM,  HP  aim 
to  improve  ease  of 
use  for  technology 

BY  CAROL  SLIWA 

ORPORATE  users 
who  may  have  been 
hesitant  to  take  the 
open-source  plunge 
will  get  new  packaged  options 
this  week  from  major  vendors 
that  are  continuing  to  try  to 
make  it  easier  to  acquire, 
use  and  manage  Linux-based 
systems. 

Dell  Inc.,  Hewlett-Packard 
Co.  and  IBM  are  among  the 
many  vendors  that  will  use  the 
LinuxWorld  Conference  & 
Expo  in  San  Francisco  to 
launch  products  and  services 
designed  to  make  users  more 
comfortable  with  choosing 
Linux  and  other  open-source 
software  offerings. 

Dell,  for  instance,  plans 
to  introduce  PowerEdge  830 
and  850  servers  with  dual-core 
Intel  processors  and  give  cus¬ 
tomers  the  option  of  bundling 
a  stack  of  open-source  soft¬ 
ware  with  the  hardware. 

Users  can  get  Red  Hat  or 


SUSE  Linux,  plus  the  MySQL 
database  and  JBoss  application 
server.  In  addition,  they  now 
can  buy  support  subscriptions 
for  the  MySQL  Network  and 
JBoss  Network  directly  from 
Dell. 

The  goal  is  to  help  open- 
source  users  quickly  get  up 
and  running  with  a  tested  and 
supported  system,  similar  to 
the  way  they  can  launch  Win¬ 
dows  servers  out  of  the  box, 
said  Judy  Chavis,  director  of 
business  development  and 
global  alliances  for  Linux  and 
open-source  at  DeU. 

Easier  Adoption 

The  availability  of  bundled  of¬ 
ferings  hasn’t  been  crucial  for 
many  early  Linux  adopters 
that  have  the  necessary  in- 
house  skills  to  configure  and 
install  systems  themselves. 

Joseph  Foran,  director  of  IT 
at  FSW  Inc.  in  Bridgeport, 
Conn.,  said  it  has  never  been  a 
problem  for  the  nonprofit  so¬ 
cial  services  agency  to  install 
Linux  and  the  rest  of  the  so- 
called  LAMP  stack,  which  also 
includes  the  Apache  Web 
server,  MySQI.  and  either  the 


Grid  has 
had  an  aura 
of  complexity,  and 
we  want  to  take 
the  complexity 
out  of  it. 

AL  BUNSHAFT,  VP  OF 

GRID  COMPUTING,  IBM. 


Perl,  PHP  or  Python  scripting 
languages.  An  enhanced 
LAMP  stack  that  has  an  appli¬ 
cation  server  configured  with 
business  applications  might  be 
helpful,  Foran  said.  “But  if  you 
have  the  expertise,”  he  added, 
“it  doesn’t  really  matter.” 

However,  as  Linux  contin¬ 
ues  to  gain  momentum  as  a 
mainstream  IT  option,  more 
companies  will  want  to  hit  the 
ground  rurming  and  find  ven¬ 
dors  that  make  it  easy  to  use 
the  technology,  said  Dan  Kus- 
netzky,  an  analyst  at  Framing¬ 
ham,  Mass.-based  IDC. 

A  lack  of  required  applica¬ 
tion  software  and  a  lack  of  ex¬ 
pertise  at  customer  sites  have 
been  “the  big  impediments  to 
Linux  adoption,”  he  noted. 

HP  will  try  to  foster  more 


use  of  open-source  software 
by  opening  four  Linux  Exper¬ 
tise  Centers  in  the  U.S.  for 
software  vendors,  developers 
and  systems  integrators  to 
make  sure  their  products  work 
with  its  hardware.  Also  this 
week,  HP  plans  to  announce 
the  availability  of  more  than 
200  open-source  software 
packages  for  its  HP  Integrity 
NonStop  servers. 

IBM  will  try  to  lure  more 
users  to  try  grid  computing  by 
launching  a  “Grid  and  Grow” 
package  that  includes  a  choice 
of  BladeCenter  server  options 
with  a  chassis  ready  for  ex¬ 
pansion,  an  operating  system, 
grid  middleware  and  services. 
Pricing  starts  at  $49,000. 

A1  Bunshaft,  vice  president 
of  grid  computing  at  IBM,  said 
more  than  two-thirds  of  the 
grid  deployments  that  the 
company  is  involved  in  are 
Linux-based.  “Grid  has  had  an 
aura  of  complexity,”  he  said, 
“and  we  want  to  take  the  com¬ 
plexity  out  of  it.” 

One  sign  that  software  ven¬ 
dors  are  trying  to  draw  more 
attention  to  their  Linux  sup¬ 
port  is  the  LinuxWorld  exhibit 
hall  debut  of  SAP  AG,  which 
hopes  to  make  users  more 
aware  that  its  applications  nm 
on  the  operating  system.  The 
percentage  of  SAP  users  with 
Linux  is  small  but  growing 
rapidly,  said  Torsten  Geers,  an 
SAP  vice  president.  O  56019 


company  expects  to  release  a  10.1 
version  six  months  later  and  con¬ 
tinue  with  new  editions  every  six 
months  thereafter.  A  public-code 
repository  will  be  set  up  next  year. 

Novell  plans  to  offer  a  retail 
version  for  end  users  with  a  user 
guide  and  installation  support  but 
will  also  give  away  SUSE  Linux 
DVDs  at  LinuxWorld  and  make 
them  available  through  magazine 
inserts  in  an  effort  to  make  it  easi¬ 
er  for  users  to  gain  access  to 
Linux.  Mancusi-Ungaro  said. 

“We’re  trying  to  make  our  Lin¬ 
ux  available  in  all  the  ways  cus¬ 
tomers  demand."  he  said.  “We 
hope  that  by  doing  so.  we’ll  help 
to  move  the  needle  on  Linux 
adoption  worldwide." 

-  Carol  Slim 


Novell  Opens  Development  of  SUSE  Linux 


NOVELL  INC.  this  week  plans  to 
launch  a  community-based  effort 
to  open  up  development  of  its 
SUSE  Linux  operating  system. 
The  company’s  strategy  includes 
an  attempt  to  accelerate  the  use 
of  the  software  by  flooding  the 
market  with  copies  through  a  vari¬ 
ety  of  outlets. 

Novell’s  openSUSE  initiative  is 
already  being  compared  to  the 
Fedora  Project  that  rival  Red  Hat 
Inc.  sponsors  for  its  Linux  distrib¬ 
ution.  New  technology  that 
emerges  from  the  work  of  the 
Fedora  community  is  considered 
for  inclusion  in  Red  Hat’s  soft¬ 
ware  products. 

George  Weiss,  an  analyst  at 


Gartner  Inc.,  said  many  compa¬ 
nies  use  Fedora  for  experimental 
purposes  and  then  often  move  on 
to  become  users  of  Red  Hat  En¬ 
terprise  Linux.  Novell  needed  to 
create  a  similar  open-source 
community  for  SUSE  Linux  as 
part  of  its  effort  to  attract  users 
away  from  Red  Hat.  he  said. 

Minimal  Input  Upfront 

Novell  has  been  developing 
SUSE  Linux  internally  through 
a  closed  model,  with  little  front- 
end  input  from  the  open-source 
community  at  large,  said  Greg 
Mancusi-Ungaro.  the  company’s 
director  of  Linux  and  open-source 
marketing.  Now  it  plans  to  adopt 


“a  completely  open  and  transpar¬ 
ent  model”  for  developing  the 
software,  he  said. 

Previously.  Novell  made  avail¬ 
able  a  SUSE  Linux  Professional 
edition  aimed  at  technical  enthu¬ 
siasts  and  developers.  That  ver¬ 
sion  often  served  to  preview  fea¬ 
tures  that  eventually  turned  up  in 
the  SUSE  Linux  Enterprise  Server 
operating  system  for  corporate 
users.  SUSE  Linux  Professional 
will  now  be  known  simply  as 
SUSE  Linux,  the  company  said. 

Novell  plans  to  release  an  ini¬ 
tial  beta  of  SUSE  Linux  10.0  this 
week  at  LinuxWorld.  The  final  ver¬ 
sion  is  due  in  October,  according 
to  Mancusi-Ungaro.  He  said  the 
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HR  Outsourcing 
Picking  Up  Steam 


ERP  licensing  and 
consulting  costs 
seen  as  factors 

BY  PATRICK  THIBODEAU 
AND  MARC  L.  SONOINI 

When  PepsiAmericas  Inc. 
wanted  to  automate  some  hu¬ 
man  resources  processes,  it 
could  have  expanded  its  own 
PeopleSoft  ERP  system,  but 
that  would  have  required  buy¬ 
ing  more  software,  hiring 
consultants  and  stressing  an 
already  tapped-out  IT  staff. 

Instead,  Dana  Sacks,  vice 
president  of  compensation, 
benefits  and  human  resources 
information  systems,  said  she 
turned  to  managed  service 
provider  Authoria  Inc.  in 
Waltham,  Mass.,  to  automate 
performance  management 
processes,  bonus  calculations 
and  succession  plaiming. 

Sacks  said  her  Minneapolis- 
based,  11,000-employee  com¬ 
pany  will  evaluate  managed 


services  for  more  applications, 
and  she  wouldn’t  rule  out  re¬ 
placing  ERP  systems  with  ser¬ 
vice  providers. 

PepsiAmericas  isn’t  alone. 
Technology  Partners  Interna¬ 
tional  Inc.  (TPI),  an  outsourc¬ 
ing  consultancy  in  The  Wood¬ 
lands,  Texas,  reported  that  so 
far  this  year,  14  companies 
with  more  than  10,000  em¬ 
ployees  have  outsourced 
workforce  administration. 

“We  think  the  long-term 
trend  is  an  erosion  of  the 
adoption  of  ERP  as  an  infra¬ 
structure  in  the  corporate  en¬ 
terprise  and  moving  away 
from  licensing  software  to 
buying  services,”  said  Peter 
Allen,  managing  director  and 
partner  at  TPI. 

Outsourcing  HR 

Companies  have  outsourced 
payroll  and  benefits  adminis¬ 
tration  for  many  years,  but  the 
move  to  outsource  virtually  all 
HR  activities  —  business  proc- 


Leader  Board 


Market  share  for  workforce 
administration  service 
providers  (year  to  date): 


Aon  Corp.:  3% 


Affiliated  Computer 
Services  Inc.:  13% 


Note:  Figures  don't  add  up  to  100% 
because  of  rounding. 

SOURCE;  TECHNOLOGY 
PARTNERS  INTERNATIONAL  INC., 
THE  WOODLANDS.  TEXAS 


esses  and  IT  —  is  still  new. 
One  out  of  10  companies  has 
done  some  HR  outsourcing, 
but  only  about  half  of  those 
companies  have  outsourced 
everything,  estimated  Michael 
Cornetto,  a  consultant  at  Wat¬ 
son  Wyatt  &  Co.  in  Arlington, 
Va.  But  he  said  the  market  for 


total  HR  outsourcing  is  grow¬ 
ing  30%  per  year. 

Late  last  month.  Whirlpool 
Corp.  signed  a  10-year  deal  to 
outsource  HR  business  proc¬ 
esses  for  68,000  employees  to 
Convergys  Corp.  in  Cincin¬ 
nati.  A  major  reason  was  the 
need  to  improve  HR  technolo¬ 
gy,  said  Abby  Luersman,  vice 
president  for  HR  solutions  at 
Benton  Harbor,  Mich.-based 
Whirlpool. 

Whirlpool  was  underinvest¬ 
ing  in  IT  and  needed  “better 
decision-making  with  better 
data,”  Luersman  said. 

‘Bite-Size  Pieces’ 

So  far.  Whirlpool  is  using 
Convergys  to  integrate  its  self- 
service  model  with  its  SAP 
system  and  take  over  some  of 
the  transaction  processing, 
she  said.  But  over  time,  some 
HR  IT  systems  could  move  to 
the  outsourcer’s  data  center, 
Luersman  said.  “This  is  a  10- 
year  agreement  with  Conver¬ 
gys,  and  clearly  we’re  doing  it 
in  bite-size  pieces,”  she  said. 

Memorial  Health  Services 
Corp.  in  Long  Beach,  Calif.,  is 
a  PeopleSoft  ERP  shop  that  al¬ 
ready  had  an  HR  application 
license  but  decided  it  would 


be  cheaper  to  outsource  bene¬ 
fits  and  other  functions,  said 
Patti  Ossen,  senior  vice  presi¬ 
dent  of  human  resources  at 
the  hospital  group. 

Deploying  PeopleSoft’s  ben¬ 
efits  software  would  have  re¬ 
quired  an  external  consultant, 
cost  about  $350,000  and  taken 
about  5,000  hours,  she  said.  So 
Ossen  turned  to  hosted  pro¬ 
viders,  including  Employease 
Inc.  in  Norcross,  Ga. 

But  it’s  not  a  path  for  all 
companies.  David  Rudzinksy, 
CIO  at  Bedford,  Mass.-based 
medical  instruments  maker 
Hologic  Inc.,  said  he  uses  the 
payroll  services  of  Automatic 
Data  Processing  Inc.,  whose 
system  is  integrated  with  the 
human  resources  module  in 
his  Oracle  eBusiness  Suite  Hi 
ERP  system. 

“This  was  a  major  improve¬ 
ment  in  the  process  and  makes 
the  payroll/human  resources 
people  more  efficient,”  he  said, 
adding  that  he  doesn’t  want  to 
use  any  external  providers  of 
other  HR  functions.  O  56020 


MORE  THIS  ISSUE 

Don  Tennant  explains  why  you  should  take 
a  lesson  from  the  Chicago  public  schools 
when  it  comes  to  hosted  apps.  Page  20 


AT&T  to  Offer  Managed  Utility  Computing  Service 


Hosting  unit  will 
also  add  server 
virtualization  in  Q4 

BY  MATT  HAMBLEN 

AT&T  Corp.  will  launch  a 
managed  utility  computing 
service  late  this  year  based  on 
hardware  from  Sim  Microsys¬ 
tems  Inc.  as  one  of  several  im¬ 
provements  to  its  hosting  ser¬ 
vice,  AT&T  executives  re¬ 
vealed  in  interviews  last  week. 

The  utility  computing  ser¬ 
vice,  to  be  formally  announced 
and  offered  sometime  in  the 
fourth  quarter,  would  give 
businesses  automatic  and  on- 
demand  access  to  computing 
resources  to  scale  up  and 
down  efficiently,  said  Mike 
Jenner,  vice  president  of  host¬ 
ing  and  application  manage¬ 
ment  services  at  AT&T. 

Jermer  also  said  AT&T  will 


add  server  virtualization  capa¬ 
bilities  for  its  hosting  clients 
in  the  fourth  quarter. 

For  users,  the  big  advan¬ 
tages  of  both  utility  computing 
and  server  virtualization  in¬ 
clude  the  ability  to  rapidly 
provision  IT  resources  and 
avoid  the  cost  of  investing  in 
server  hardware,  Jenner  said. 

“Customers  spend  a  lot  in 
capital,  while  their  systems 
often  go  underutilized  much 
of  the  year,”  said  Christina 
Costello,  director  of  product 
management  for  AT&T’s  man¬ 
aged  hosting  and  utility  com¬ 
puting  services  unit. 

Service  Charges 

Companies  that  choose  the 
utility  computing  option  will 
pay  a  base  fee  each  month  to 
get  access  to  a  dedicated  serv¬ 
er  —  roughly  half  the  cost  of 
leasing  one  —  plus  a  variable 


utilization  charge,  AT&T  said. 

One  existing  AT&T  hosting 
customer.  Turbine  Inc.,  has 
been  discussing  the  utility 
computing  service  with  AT&T 
“quite  seriously,”  said  Michael 
Hogan,  vice  president  of  tech¬ 
nology  and  operations  at  the 
Westwood,  Mass.-based  maker 
of  online  games.  Turbine  is 


looking  at  utility  computing  as 
a  means  of  handling  the  enor¬ 
mous  surges  in  network  usage 
it  experiences  when  it  releases 
new  multiplayer  games. 

“We’re  always  looking  for 
ways  to  spike  up  capability  for 
the  first  weeks  [after  a  new 
game  release]  and  then  back 
off,”  he  said. 


With  one  earlier  game  re¬ 
lease,  Hogan  noted.  Turbine 
“grossly  underestimated  re¬ 
sources”  and  ended  up  trying 
to  throw  hardware  at  the  prob¬ 
lem.  Conceivably,  with  a  utili¬ 
ty  computing  service.  Turbine 
would  “have  a  plan  in  place, 
quickly  scale  up  in  the  near 
term  and  roll  off,”  he  said. 

Analysts  said  AT&T’s  utility 
computing  service  appears  to 
be  the  first  offered  by  a  net¬ 
work  services  provider.  Sun, 
IBM,  Sawis  Inc.  and  Electron¬ 
ic  Data  Systems  Corp.  offer 
utility  computing  and  utility 
storage  services,  but  the  mar¬ 
ket  hasn’t  grown  as  much  as 
first  projected  two  years  ago, 
said  Ted  Chamberlin,  an  ana¬ 
lyst  at  Gartner  Inc. 

“Utility  computing  has  been 
cooking  along  for  a  while,  but 
there  is  limited  interest  in  it,” 
Chamberlin  said.  “Customers 
don’t  exactly  call  up  and  say, 
‘Give  me  some  of  that  utility 
computing.’  ”  O  56015 


NCR  Hires  Nuti  to 
Replace  Hurd  as  CEO 


NCR  Corp.  named  William  Nuti 
president  and  CEO,  filling  the  po¬ 
sition  vacated  by  Mark  Hurd  when 
he  left  in  March  to  become  the  top 
executive  at  Hewlett-Packard  Co. 
Nuti  previously  was  CEO  of  Sym¬ 
bol  Technologies  Inc.  in  Holtsville, 
N.Y.  Symbol  last  week  reported 
a  $30.5  million  second-quarter 
loss,  but  an  NCR  spokesman  said 
the  loss  “hasn’t  changed  any¬ 
thing”  in  terms  of  the  company’s 
confidence  in  Nuti. 


Mozilla  Decides  to 
Form  Corporate  Unit 

The  Mozilla  Foundation  has  creat¬ 
ed  a  corporate  subsidiary  to  sup¬ 
port  its  moneymaking  activities 
and  handle  the  marketing  of  its 
open-source  products.  The  Moun¬ 
tain  View,  Calif.-based  foundation 
said  the  formation  of  Mozilla  Corp. 
was  made  necessary  by  the  “unin¬ 
tended  but  real”  revenue  generat¬ 
ed  by  a  search  tool  within  its  Fire- 
fox  browser  that  links  to  search 
engines  and  specific  Web  sites. 


Microsoft  Acquires 
Adapters  for  BizTalk 

Microsoft  Corp.  said  it  has  bought 
eight  .Net-based  application 
adapters  that  work  with  its  Biz- 
Talk  Server  software  from  iWay 
Software,  a  unit  of  Information 
Builders  Inc.  The  products  sup¬ 
ported  by  the  adapters  include 
Oracle  applications  and  databases, 
plus  J.D.  Edwards,  PeopleSoft 
and  Siebel  applications.  Microsoft 
and  iWay  didn’t  disclose  the  pur¬ 
chase  price. 


Short  Takes 

IBM  announced  a  version  of  Web¬ 
Sphere  Portal  that  has  a  common 
code  base  for  all  of  its  servers,  in¬ 
cluding  the  iSeries  midrange  line 
and  zSeries  mainframes. . . .  SAP 
AG  named  Ike  Nassi,  formerly 
chief  technology  officer  at  Firetide 
Inc.  in  Los  Gatos,  Calif.,  to  manage 
its  software  research  work  in  the 
Americas  region. 
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Baby  Boomers  Get 
Ready  for  Bed  While... 

. . .  their  creaking  technologies  burden  IFs  maintenance 
budgets.  Worse,  argues  Damian  Smith,  a  vice  presi¬ 
dent  at  Dallas-based  Hitachi  Consulting  Corp.,  keep¬ 
ing  mainframes  and  even  client/server  systems  limp¬ 
ing  along  chews  up  so  many  IT  resources  that  many 


of  the  companies  using  them 
wUl  be  bypassed  by  more  nim¬ 
ble  competitors  that  adopt  the 
flexible  systems  favored  by 
younger  IT  workers.  Smith 
warns  that  if  your  mainte¬ 
nance  cost 
for  aging 
technologies 
is  more  than 
50%  of  your 
IT  budget, 
“you  are 
pretty  much 
dead.”  (Per¬ 
haps  that’s 
why  the  con¬ 
sulting  unit’s 
parent  com¬ 
pany,  Hitachi  Ltd.,  used  to  sell 
mainframes.)  But  most  IT 
dollars  now  should  be  spent 
on  new  systems  in  order  to 
retire  the  old  ones.  Smith  says. 
“Lots  of  companies  are  now 
consuming  70%  to  90%  of 
their  budgets  on  maintenance 
and  support,”  he  claims.  “And 
when  you’re  doing  that,  you 
can’t  do  new  things  to  support 
high-demand  users.”  The  situ¬ 
ation  is  compounded  by  a 
generation  gap  as  well.  Older 
technology  is  generally  main¬ 


tained  by  more  experienced 
workers  who  have  higher 
salaries  “and  are  less  likely  to 
work  longer  than  40  hours 
per  week,”  Smith  observes, 
adding  that  he  thinks  efforts 
by  IBM  and  others  to  boost 
interest  in  mainframes  among 
young  whippersnappers 
[QuickLink  55867]  are  futile. 
“Do  I  invest  in  new,  young 
blood  to  train  on  old  technol¬ 
ogy,”  he  asks,  “or  get  new 
technology  to  attract  lower- 
cost,  younger  workers  who 
are  willing  to  work  longer 
hours?”  The  answer  is  obvi¬ 
ous,  he  thinks.  It’s  vital  to 
shift  off  old  platforms  now 
before  all  those  gray  heads 
putter  off  to  senior  centers 
and  take  their  knowledge 
with  them.  If  you  don’t,  he 
warns,  “the  baby  boomer 
bomb  could  blow  up  and  de¬ 
stroy  a  few  companies  in  the 
near  future.” 

RashierWeb  sites 
are  possible . . . 

. . .  with  the  imminent  arrival  of 
Studio  8.  The  upgrade  of 
Macromedia  Inc.’s  flagship 
software  suite  includes  new 


releases  of  Dreamweaver, 
Flash  Professional  and  Fire¬ 
works  but  replaces  the  Free¬ 
hand  illustration  program 
with  products  called  Con¬ 
tribute  3  and  FlashPaper  2. 
Jim  Guerard,  vice  president 
of  product  management  and 
marketing  at  Macromedia, 
says  the  San  Francisco-based 
company  will  continue  to 
sell  and  update  Freehand  as 
a  separate  application.  Guer¬ 
ard  says  Contribute  lets  busi¬ 
ness  users  update  Web  pages 
themselves  without  having 
to  pester  Web  designers,  al¬ 
though  the  designers  get  to 
control  what’s  included  in 
updates  and  where,  when  and 
how  they  take  place.  Flash- 
Paper  can  convert  docu¬ 
ments,  such 
as  Word 
files,  into 
Flash  files 
for  easy  ex¬ 
port  to  Web 
sites.  Among 
other  up¬ 
dates  to  the 
products  al¬ 
ready  in  the  suite, 
Dreamweaver  8  has  im¬ 
proved  cascading  stylesheets 
and  new  guides  that  let  de¬ 
signers  precisely  position 
objects  on  a  Web  page  down 
to  the  pixel  level.  Macrome¬ 
dia,  which  is  due  to  be  ac¬ 
quired  by  Adobe  Systems  Inc. 
under  a  deal  signed  in  April, 
plans  to  ship  the  $999  suite  in 
September. 

Solidify  your 
server  security . . . 

...  by  preventing  all  but  ap¬ 
proved  code  from  running  on 
systems.  That’s  the  approach 
advocated  by  Solidcore  Sys¬ 
tems  Inc.  in  Palo  Alto,  Calif. 
According  to  John  Sebes,  its 
chief  technology  officer,  an 
upcoming  security  module 
for  Solidcore’s  S3  Control 
software  will  inventory  all  the 
binary  files,  scripts.  Dynamic 
Link  Libraries  and  other 
forms  of  executable  code  that 
you  want  running  on  your 


Wlo 

Percentage 
of  workstations 
running  Flash 
Player,  estimates 
NPD  Group  Inc. 


computers 
and  permit 
only  those 
programs  to 
execute. 

Anything 
else  gets 
stopped  in  its 
tracks,  Sebes 
says.  Even 
sysadmins 
with  root- 
level  privileges  can’t  slip  in 
a  favorite  script  without  the 
permission  of  the  person  who 
oversees  S3  Control.  The  S3 
Security  module  even  pro¬ 
tects  systems  from  “being 
tricked  by  things  like  buffer 
overflows,”  Sebes  says.  S3 
Security  will  ship  next  month 
for  Linux,  Solaris  and  Win¬ 
dows  servers.  Solidcore  will 
add  support  for  AIX  and  HP- 
UX  servers  and  Windows  XP 
workstations  in  Q4.  Pricing 
starts  at  $2,000  per  node  and 
decreases  with  volume. 


SEBES:  Stop 
unauthorized 
code  from 
running. 


Back  up  your  e-mail 
backup  copies . . . 

...  in  case  disaster  strikes. 

This  week.  Mimosa  Systems 
Inc.  in  Santa  Clara,  Calif., 
will  add  a  disaster  recovery 
option  to  its  NearPoint 
archiving  software  for  Micro¬ 
soft  Exchange  servers.  The 
new  module  lets  you  keep 
a  near-real-time  archive  of 
your  e-mail  outside  the  data 
center  on  a  LAN  or  even  else¬ 
where  on  a  WAN.  T.M.  Ravi, 
Mimosa’s  CEO,  claims  that 
because  NearPoint  doesn’t 
use  agents  on  Exchange  sys¬ 
tems,  it  helps  make  them 
more  stable.  The  No.  1  reason 
for  Exchange  server  failures 
is  third-party 
software  run¬ 
ning  on 
them,  Ravi 
says.  Near¬ 
Point  begins 
at  $9,995,  and 
the  Disaster 
Recovery 
option  starts 
at  $2,100. 

0  55983 


IT.  COMPLEXITY, 
RISING  COSTS, 
MURPHY’S  LAW 


HIM  IBM  Tivoli  IT  Service  Management  can  streamline  your  IT  operations.  It’s  THE  MOST  COMPLETE  END-TO-END  MIDDLEWARE  SOLUTION 
■■■■■I  THAT  DELIVERS  TIGHT  INTEGRATION  between  technology,  processes  and  people,  while  boosting  the  availability  and  efticiency  of  your  IT 
services.  Its  automation  tools  can  help  minimize  time  and  labor  costs,  while  modular  construction  means  it's  a  solution  that  can  grow  easily  with  your  business. 

DISCOVER  A  BETTER  WAY  TO  MANAGE  THE  BUSINESS  OF  IT  AT  IBM.COM/MIDDLEWARE/MGMT 
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Medical  Software  From  Feds 
Could  Benefit  Big  Health  Care 


I  .ow-cost  app  for  small  practices  seen 
as  aid  in  effort  to  computerize  records 


BY  HEATHER  HAVENSTEIN 

OME  IT  MANAGERS  at 
large  health  care  orga¬ 
nizations  are  delighted 
that  the  federal  govern¬ 
ment  plans  to  offer  its  elec¬ 
tronic  health  records  (EHR) 
software  to  small  and  midsize 
physician  practices  at  a  low 
cost.  The  move  is  expected  to 
be  a  significant  boon  to  the  ef¬ 
forts  of  big  providers  to  com¬ 
puterize  patient  records,  the 
IT  managers  say. 

While  many  hospitals  and 
large  physician  practices  have 
deployed  EHR  software  for 
their  patient  bases,  the  sys¬ 
tems  won’t  be  fully  effective 
unless  physicians  in  smaller 
medical  groups  who  refer  pa¬ 
tients  for  treatment  automate 
their  records  as  well. 

The  Centers  for  Medicare 
and  Medicaid  Services  (CMS) 
expects  to  announce  the  dis¬ 
tribution  plans  for  its  Vista- 
Office  EHR  software  this 
month.  The  announcement, 
which  has  already  been  widely 
publicized  [QuickLink  55837], 
was  due  to  take  place  last 
week  but  didn’t  materialize. 
Vista-Office  has  been  in  use  at 
Veterans  Affairs  hospitals  and 
clinics  for  more  than  20  years. 

Encouraging  Adoption 

The  CMS  will  allow  physi¬ 
cians  to  license  Vista-Office 
for  less  than  $3,000  for  a  five- 
doctor  practice,  according  to  a 
CMS  spokesman.  The  move  is 
designed  to  address  one  of  the 
biggest  barriers  to  the  Bush 
administration’s  goal  of  com¬ 
puterizing  all  patient  records 
over  the  next  decade:  the  lag¬ 
ging  adoption  rate  among 
smaller  practices. 

“Vista  is  a  good  program, 
[and]  if  done  correctly,  there 
will  be  a  level  of  ability  to  share 
records  across  regional  health 
information  organizations.  It 
could  prove  to  be  a  very  effec¬ 


tive  tool  for  many  of  our  small- 
practice,  community-based 
M.D.s,”  said  John  Hummel,  CIO 
at  Sutter  Health  in  Sacramento, 
Calif.  Sutter  operates  27  hospi¬ 
tals  in  Northern  California. 

Any  option  that  gets  physi¬ 
cians  to  begin  to  computerize 
patient  records  is  a  good  idea, 
said  J.  David  Liss,  vice  presi¬ 
dent  of  government  relations 
and  strategic  initiatives  at 
NewYork-Presbyterian 
Elealthcare  System. 

“Physicians  who  have  rotat¬ 
ed  through  VA  hospitals  love 
Vista  —  having  all  the  patient 


Treatment  based 
on  data  about 
similar  patients 

BY  HEATHER  HAVENSTEIN 

NewYork-Presbyterian 
Healthcare  System  is  rolling 
out  an  IT  system  that  gener¬ 
ates  suggested  care  plans  for 
physicians  based  on  data 
about  previous  patient  out¬ 
comes  and  then  sends  alerts 
if  treatments  don’t  appear  to 
be  working. 

The  Patient  Health  Monitor 
project,  which  the  health  care 
system  began  two  months 
ago  at  its  flagship  NewYork- 
Presbyterian  Hospital,  cur¬ 
rently  uses  artificial  intelli¬ 
gence  (AI)  software  to  create 
treatment  plans  for  patients  in 
cardiac  intensive-care  units. 
The  plans  are  based  on  the 
records  of  7,500  cardiac  pa¬ 
tients,  which  are  among  2.5 
million  patient  records  in  a 
data  repository. 

In  addition,  the  system  takes 
data  from  equipment  such  as 
heart  monitors  and  provides 


data  in  one  place  is  so  com¬ 
pelling,”  Liss  said. 

Hospitals  and  health  systems 
could  benefit  from  the  govern¬ 
ment  plan  because  historically, 
they  capture  the  lion’s  share  of 
the  benefits  from  EHRs:  They 
get  access  to  patient  histories, 
while  the  physician  practices 
that  compile  them  bear  most 
of  the  costs,  said  Eric  Brown, 
an  analyst  at  Forrester  Re¬ 
search  Inc. 

As  a  result,  large  hospitals 
have  a  vested  interest  in  mak¬ 
ing  sure  that  all  the  physicians 
referring  patients  to  them  are 
using  an  EHR  system,  he  said. 
Brown  and  others  warned  that 
the  capital  investment  in  elec¬ 
tronic  records  often  can  be 


alerts  to  physicians  via  tablet 
PCs  if  patients  deviate  from 
projected  outcomes,  said  J. 
David  Liss,  vice  president  of 
government  relations  and 
strategic  initiatives  at  the 
health  system. 

Unlike  traditional  clinical 
support  systems  that  use  rules 
engines  to  suggest  patient 
care,  the  health  monitor  is 
based  on  inferencing  technol¬ 
ogy  designed  by  a  NewYork- 


dwarfed  by  the  training,  im¬ 
plementation  and  configura¬ 
tion  costs  involved. 

Vendors  are  ramping  up  to 
support  physicians  who  will 
deploy  Vista.  In  May,  the  not- 
for-profit  organization  World- 
Vista  was  awarded  a  contract 
by  the  CMS  to  provide  train¬ 
ing  to  vendors  that  will  install 
the  software. 

Medsphere  Systems  Corp. 
in  Aliso  Viejo,  Calif.,  will  be 
offering  Medsphere  Open- 
Vista,  an  open-source  version 
of  the  government’s  software 
that  captures  clinical,  financial 
and  administrative  data.  Med¬ 
sphere  will  also  be  providing 
an  ASP  version  of  the  software 
and  services  such  as  training, 


Presbyterian  physician.  The 
software  builds  care  plans  by 
matching  patient  characteris¬ 
tics  such  as  age,  disease  type 
and  medication  history  with 
successful  prior  outcomes. 

“All  of  the  alerts  are  relevant 
to  the  patient  because  they  are 
based  on  a  history  of  cases,” 
Liss  said. 

In  addition,  because  the 
repository  is  updated  with 
new  patient  records  every  24 
hours,  the  AI  system  has  an 
ever-growing  pool  of  data  to 
exploit  to  generate  the  care 
plans,  Liss  said. 

Plans  call  for  the  health 


Health  Care  System  Turns 
To  IT  for  Patient  Care  Plans 


maintenance  and  support  for 
Vista  users,  said  Scott  Shreeve, 
chief  medical  officer  and  co¬ 
founder  of  Medsphere. 

Midland  Memorial  Hospital 
in  Midland,  Texas,  will  go  live 
in  December  with  its  first  clin¬ 
ical  application  based  on  Med- 
sphere’s  OpenVista.  The  hos¬ 
pital  plans  to  use  the  technolo¬ 
gy  to  develop  a  comprehen¬ 
sive  EHR  system,  said  David 
Whiles,  director  of  informa¬ 
tion  systems  at  Midland. 

“It  is  an  extremely  mature, 
very  functionally  rich  elec¬ 
tronic  record,”  he  said.  “It  has 
been  in  place  for  20-plus 
years,  and  it  is  not  one  of 
these  new  systems  that  ven¬ 
dors  are  offering,  looking  for 
alpha  or  beta  partners.” 

The  OpenVista  project 
will  cost  less  than  half  of 
the  upfront  capital  investment 
required  for  a  commercial 
EHR  product,  Whiles  said. 

O  56007 


monitor  technology  to  be  ex¬ 
panded  to  other  departments 
in  the  hospital  and  to  other 
hospitals  in  the  NewYork- 
Presbyterian  system,  accord¬ 
ing  to  Liss. 

The  project  was  funded  by 
$250,000  in  donations  from 
Verizon  Communications  Inc. 
and  Intel  Corp.  and  $50,000 
worth  of  donated  equipment 
from  Computer  Motion  Inc. 
and  Dell  Inc. 

Eric  Brown,  an  analyst 
at  Forrester  Research  Inc., 
said  he  knows  of  only  one 
other  health  care  entity  that 
has  launched  a  similar  initia¬ 
tive.  The  Mayo  Clinic  and 
IBM  in  August  2004  said  they 
were  starting  to  use  a  DB2 
database  to  help  physicians 
treat  patients. 

“This  idea  of  a  decision- 
support  system  is  one  of  the 
outcomes  we’d  like  to  see 
from  the  introduction  of  elec¬ 
tronic  medical  records ... 
moving  to  an  era  of  personal¬ 
ized  medicine,”  Brown  said.  “It  - 
is  taking  your  particular  situa¬ 
tion  and  plugging  it  into  the 
database  —  not  searching  for 
all  people  who  have  had  a 
heart  attack,  but  all  patients 
who  have  had  a  heart  attack 
who  look  like  you.”  O  56012 
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CA  Security  Hole  Points 
To  Data  Backup  Threats 

Vendor  patches  flaws  in  storage  tools, 
but  concerns  about  attacks  increase 


IBM  Will  Buy  Data 
Integration  Vendor 

IBM  said  it  has  agreed  to  buy  DWL 
Inc.,  a  developer  of  Java-based 
software  for  integrating  customer 
data,  for  an  undisclosed  price. 
OWL  has  about  150  employees 
and  is  based  in  Atlanta,  although 
most  of  its  operations  are  in 
Toronto.  IBM,  which  expects  to 
complete  the  deal  later  this  year, 
said  it  plans  to  expand  DWL’s 
presence  in  industries  such  as 
telecommunications  and  retail. 


Court  Denies  RIM 
On  Patent  Petition 

A  U.S.  appeals  court  last  week  re¬ 
versed  one  finding  that  Research 
In  Motion  Ltd.  had  infringed  on 
patents  held  by  NTP  Inc.  in 
McLean,  Va.  But  the  court  upheld 
other  findings  and  denied  RIM’s 
petition  for  a  full  rehearing  of  the 
patent  dispute.  A  lawyer  for  NTP 
said  it  plans  to  seek  an  injunction 
against  sales  of  RIM’s  BlackBerry 
devices  in  the  U.S.  Waterloo,  On¬ 
tario-based  RIM  said  it  was  still 
reviewing  the  decision. 


BY  JAIKUMAR  VIJAYAN 

OMPUTER  Associates 
International  Inc. 
last  week  disclosed  a 
major  security  flaw 
in  its  data  backup  software, 
and  analysts  said  the  problem 
is  an  example  of  the  kind  of 
vulnerabilities  that  are  making 
storage  software  more  attrac¬ 
tive  to  malicious  hackers. 

CA  released  patches  to  fix 
what  it  described  as  a  “criti¬ 
cal”  vulnerability  in  its  Bright- 
Stor  ARCserve  agent  software, 
which  is  used  to  back  up  and 
restore  data  between  servers 
and  storage  devices. 

The  buffer-overflow  flaw 
exists  in  multiple  versions  of 
ARCserve  Backup  and  Enter¬ 
prise  Backup  for  Windows 
and  could  allow  attackers  to 
take  control  of  systems,  exe¬ 
cute  code  or  launch  denial-of- 


service  attacks,  CA  warned  in 
a  security  advisory. 

What  makes  the  threat  par¬ 
ticularly  potent  is  the  fact  that 
many  companies  use  the  vul¬ 
nerable  CA  software  on  pro¬ 
duction  servers,  said  Michael 
Sutton,  director  of  vulnerabili- 


Backup 

■7  products  are 
designed  to  prevent 
catastrophes  by 
recording  copi^  of 
important  data. .. . 
Unfortunately,  those 
products  have  be¬ 
come  easy  targets 
for  attackers. 


FROM  THE  SANS  INSTITUTE'S 
REPORT  ON  THE  TOP  20  INTER¬ 
NET  VULNERABILITIES  DISCOV¬ 
ERED  DURING  Q2.  ISSUED  IN  JULY 


ty  research  at  iDefense  Inc., 
a  security  threat  assessment 
firm  that  was  recently  ac¬ 
quired  by  Verisign  Inc. 

Attackers  who  take  advan¬ 
tage  of  the  flaw  could  access 
any  data  on  unprotected 
servers,  Sutton  said.  Reston, 
Va.-based  iDefense  was  credit¬ 
ed  with  discovering  the 
BrightStor  vulnerability. 

Data  backup  products  are 
becoming  increasingly  attrac¬ 
tive  and  easy  targets  for  hack¬ 
ers,  said  Alan  Paller,  director 
of  research  at  the  SANS  Insti¬ 
tute,  a  Bethesda,  Md.-based 
organization  that  does  securi¬ 
ty  training  and  research. 

SANS,  which  compiles  a 
quarterly  list  of  the  top  20 
Internet  security  threats,  in¬ 
cluded  several  vulnerabilities 
in  widely  used  data-backup 
products  from  CA  and  Syman¬ 
tec  Corp.’s  Veritas  unit  on  the 
list  that  it  released  last  month 
for  the  second  quarter. 

Such  vulnerabilities  are  sure 


to  attract  the  attention  of  mali¬ 
cious  hackers  because  data 
backup  products  grant  access 
to  virtually  all  of  a  company’s 
data,  Paller  said.  He  added 
that  operating  systems,  which 
have  traditionally  been  the 
most  popular  targets,  are  be¬ 
coming  harder  to  hack,  result¬ 
ing  in  more  of  a  focus  on  rela¬ 
tively  less-protected  applica¬ 
tion  servers  and  storage  tech¬ 
nologies. 

So  far,  there  has  been  little 
evidence  of  vulnerabilities  in 
data  backup  products  being 
widely  exploited,  said  Jon  Olt- 
sik,  an  analyst  at  Enterprise 
Strategy  Group  Inc.  in  Mil¬ 
ford,  Mass.  But  the  existence 
of  so  many  flaws  in  popular 
products  is  worrisome  be¬ 
cause  storage  teams  often 
know  little  about  security  is¬ 
sues  and  don’t  adhere  to  cor¬ 
porate  policies,  he  said.  “Stor¬ 
age  has  always  been  designed 
for  performance  and  availabil¬ 
ity,  not  seciu-ity,”  Oltsik  noted. 
O  56024 
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Epiphany  Agrees  to 
Buyout  After  Loss 

Epiphany  Inc.,  a  CRM  vendor  in 
San  Mateo,  Calif.,  agreed  to  a 
$329  million  cash  buyout  offer 
from  SSA  Global  Technologies 
Inc.  The  deal,  which  is  expected 
to  close  within  eight  to  12  weeks, 
coincided  with  Epiphany’s  disclo¬ 
sure  that  it  lost  $8.3  million  in 
the  second  quarter  on  revenue  of 
$16.7  million.  Chicago-based  SSA 
said  it  thinks  Epiphany  will  benefit 
from  having  access  to  its  soft- 
ware-distribution  network. 


Short  Takes 

BMC  SOFTWARE  INC.  reported  a 
$41.1  million  first-quarter  loss  but 
raised  its  business  forecast  for 
the  rest  of  fiscal  2006. . . . 
ADVANCED  MICRO  DEVICES  INC. 
released  versions  of  its  Opteron 
100  Series  processors  that  sup¬ 
port  buffered  memory  based  on 
error-correcting  code  technology. 


Fujitsu  Builds  Tablet  PC 
Support  Into  Notebook 


Includes  swivel  top, 
plus  touch-screen 
and  writing  tools 

BY  MATT  HAMBLEN 

Fujitsu  Computer  Systems 
Corp.  today  will  announce  a 
notebook  PC  that  weighs  just 
2.2  lb.  and  can  be  converted 
into  a  tablet  device  with 
touch-screen  and  handwrit¬ 
ing-recognition  capabilities. 
The  format  is  designed  to  ap¬ 
peal  to  users  in  health  care 
and  other  vertical  industries. 

The  new  LifeBook  P1500 
will  replace  the  PIOOO  model, 
of  which  more  than  200,000 
units  have  been  sold  globally 
over  the  past  four  years,  said 
Paul  Moore,  director  of  mobile 
product  marketing  at  Fujitsu’s 


U.S.  headquarters  in  Sunny¬ 
vale,  Calif. 

Although  the  P1500  will  first 
ship  with  Windows  XP  Profes¬ 
sional,  Fujitsu  plans  to  also 
make  it  available  with  Micro¬ 
soft  Corp.’s  Tablet  PC  Edition 
operating  system  by 
year’s  end,  Moore  said. 

The  new  model,  which 
has  a  list  price  of  $1,499, 
is  based  on  a  1.2-GHz 
Pentium  M  processor 
and  includes  an  8.9-in. 
screen. 

The  older  LifeBook 
opens  like  a  typical 
notebook  PC,  but  the 
P1500  can  be  flipped  open 
and  swiveled  to  convert  to  a 
tablet  format.  That  capabili¬ 
ty  is  something  doctors  who 
use  the  PIOOO  have  asked  for. 


said  C.A.  Nix,  president  of 
Medical  Practice  Technologies 
LLC,  a  Cumming,  Ga.-based 
systems  integrator. 

Tablet  PC  technology, 
which  was  introduced  in  late 
2002,  has  largely  remained  a 
niche  product.  “Microsoft  had 
much  higher  expectations  for 
Tablet  PC  than  materialized,” 
said  Brian  O’Rourke,  an  ana¬ 
lyst  at  In-Stat  in  Scottsdale, 
Ariz. 


Nonetheless,  the  market  for 
Tablet  PC  devices  hit  $1.2  bil¬ 
lion  in  total  sales  last  year,  said 
O’Rourke.  He  predicted  that 
sales  will  rise  to  $5.4  billion  in 
2009,  as  average  prices  for 
tablet  devices  drop  well  below 
$2,000  and  more  applications 
become  available  for  them. 

O’Rourke  and  other  analysts 
said  there  already  are  a  couple 
of  ultraportable  notebooks  on 
the  market  that  are  similar  in 
size  to  the  P1500  but  don’t 
have  its  tablet  capabilities. 

Barry  Zane,  executive  vice 
president  of  sales  at  Brand- 
wise  SSI  Inc.,  a  Lakewood, 
Colo.-based  integrator  of  sales 
force  applications,  said  the 
faster  CPU  in  the  P1500  will 
make  it  “truly  a  little  comput¬ 
er.”  Zane  noted  that  the 
PIOOO  sometimes  takes 
two  to  four  seconds 
to  load  new  pages  — 
too  slow  for  some 
applications. 
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Business  today  is  borderless,  so  for  a  company  to  thrive,  communication  must  be  seamless.  The  Sprint  wireless  and 
wireline  networks  can  integrate  all  aspects  of  your  company,  whether  in  the  office,  warehouse  or  on  the  road.  Which  means 
communication  is  simpler  and  your  employees  are  more  productive.  And  since  Sprint  owns  its  own  nationwide  wireless  and 
wireline  networks,  it  can  offer  a  complete  portfolio  of  services  under  one  roof.  That’s  why  The  PGA  of  America  turned  to  Sprint 
when  they  needed  a  customized  network  to  keep  clients  on  the  course  connected  to  their  offices.  It's  how  HP  saved  millions 
in  overtime  with  more  efficient  inventory  management.  And  how  FTD  connects  its  call  center  and  Web  traffic  to  52,000 
florists  in  154  countries.  No  wonder  95%  of  the  Fortune  1000^  depend  on  Sprint.  They  know  being  productive  is  beautiful. 
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Oracle  to  Buy  61%  of 
Banking  App  Vendor 

ORACLE  CORP.  announced  last 
week  that  it  will  buy  a  majority 
stake  in  banking  software  vendor 
i-Flex  Solutions  Ltd.,  continuing  a 
string  of  acquisitions  designed  to 
strengthen  Oracle’s  applications  busi¬ 
ness  in  vertical  industries. 

Oracle  plans  to  acquire  61%  of  Mum¬ 
bai,  India-based  i-Flex’s  stock  —  41% 
from  Citigroup  Inc.’s  venture  capital 
unit  and  20%  from  public  shareholders 
—  by  year’s  end.  The  total  value  of  the 
deal  is  expected  to  be  about  $909  mil¬ 
lion  (U.S.),  said  Greg  Maffei,  Oracle’s 
chief  financial  officer. 

The  i-Flex  deal  follows  acquisitions 
of  software  vendors 
Retek  Inc.  and  Profit- 
Logic  Inc.,  which  both  fo¬ 
cus  on  the  retail  industry 
[QuickLink  55409].  Ora¬ 
cle  took  control  of  Min¬ 
neapolis-based  Retek  in 
April  after  outbidding 
SAP  AG,  and  it  bought 
Cambridge,  Mass.-based 
ProfitLogic  last  month. 

I-Flex  provides  soft¬ 
ware  and  services  to  575 
banks  in  115  countries 


and  has  more  than  4,700  employees. 
Oracle  said  i-Flex  had  revenue  of 
$261  million  in  the  fiscal  year  that 
ended  March  31,  up  42%  from  the  year 
before,  and  it  earned  net  income  of 
$46  million.  The  company  was  fovmded 
in  1992  with  ventm-e  capital  from  Citi¬ 
group,  which  is  its  largest  customer. 

■  JAMES  NICCOLAI  AND  JOHN  RIBEIRO. 

IDG  NEWS  SERVICE 


Sun  Chooses  Scotland 
For  Remote  Management 

SUN  MICROSYSTEMS  INC.  will  Open 
a  data  center  in  Linlithgow,  Scot¬ 
land,  in  the  next  few  months  to 
remotely  manage  European  customers’ 
computer  systems,  a  Sun  executive 

said  in  an  interview  last 
week.  Don  Grantham, 
executive  vice  president 
of  Sun  Services,  said  the 
move  builds  on  Sun’s  ac¬ 
quisition  last  November 
of  Ashburn,  Va.-based 
SevenSpace  Inc.,  which 
specializes  in  remote 
management  and  moni¬ 
toring  of  IT  systems  and 
applications  [QuickLink 
51122].  Sun  now  manages 
data  centers  belonging  to 


more  than  100  customers  from  Seven- 
Space’s  facilities,  Grantham  said. 

The  company  is  seeing  very  strong 
growth  in  both  its  managed  and  pre¬ 
ventive  services  operations,  according 
to  Grantham.  Depending  on  the  suc¬ 
cess  of  the  European  data  center.  Sun 
may  open  a  similar  facility  in  Banga¬ 
lore,  India,  or  Beijing  to  serve  Asia- 
Pacific  customers,  he  said. 

■  CHINA  MARTENS.  IDG  NEWS  SERVICE 


Aussie  Utility  Starts 
Radio-over-iP  Network 

SYDNEY 

OUNTRY  ENERGY,  a  Sydney-based 
electric  utility  owned  by  the  New 
South  Wales  state  government,  is 
implementing  a  radio-over-IP  (RoIP) 
system  so  field  workers  using  radios 
can  connect  to  the  utility’s  IP  phones 
and  external  telephone  numbers  via  an 
existing  IP  network. 

Cerulean  Solutions  Ltd.,  which  is  im¬ 
plementing  the  system,  said  last  week 
that  it  expects  to  finish  the  RoIP  proj¬ 
ect  by  year’s  end.  The  IBM-owned 
company  is  installing  radio-enabled 
gateway  routers  at  base  stations,  re¬ 
peaters  and  dispatch  consoles  to  con¬ 
vert  standard  radio  voice  signals  into 
Real-Time  Transport  Protocol  packets 
suitable  for  the  IP  network.  O  55982 
■  SANDRA  ROSSI, 
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Number  of  corporate 
employees  in  Western 
Europe  expected  to  be 
using  a  voice-over-IP 
system  by  2010. 

SOURCE:  ANALYSYS  RESEARCH 
LTD.,  CAMBRIDGE,  ENGLAND 


Briefly  Noted 

Infosys  Technologies  Ltd.,  India’s 
second-largest  software  and  ser¬ 
vices  outsourcing  vendor,  said  last 
week  that  in  January  it  plans  to 
open  a  $10  million  (II.S.)  software 
development  campus  in  Shanghai 
with  room  for  1,000  workers.  Ban- 
galore-based  Infosys  already  has 
another  Shanghai  center  that  em¬ 
ploys  250  people. 

■  JOHN  RIBEIRO,  IDG  NEWS  SERVICE 


Sheffield  Hallam  University  in 
Sheffield,  England,  next  month  will 
begin  a  new  master’s  degree  pro¬ 
gram  for  information  security  man¬ 
agement,  in  conjunction  with  the 
British  Standards  Institution  (BSI). 
The  program  will  include  hands-on 
practical  experience  and  training 
on  BS7799,  the  BSI’s  standard  for 
information  security  management. 

The  Bank  of  China  (Hong  Kong) 
Ltd.  has  awarded  Unisys  Corp.  a 
contract  to  build  a  digital  imaging 
system  that  will  replace  the  bank’s 
microfilm  machines  for  document 
processing.  Unisys  said  late  last 
month  that  the  new  system  is  ex¬ 
pected  to  scan,  index  and  archive 
400,000  documents  per  day. 


IBM  Starts  Rollout  of  Network  Appliance’s  NAS  Boxes 


Vencior  adds  low-end  device  now,  plans 
wider  storage  offering  in  fourth  quarter 


BY  LUCAS  MEARIAN 

New  storage  partners  IBM  and 
Network  Appliance  Inc.  last 
week  struck  against  the  rival 
team  of  EMC  Corp.  and  Dell 
Inc.,  with  IBM  introducing  a 
rebranded  version  of  a  low- 
end  network-attached  storage 
device  that’s  made  by  NetApp. 

IBM  is  aiming  the  NAS  box, 
which  it  is  marketing  as  the 
TotalStorage  N3700,  at  busi¬ 
nesses  with  up  to  1,000  em¬ 
ployees  and  at  the  remote  of¬ 
fices  of  larger  companies.  The 
rebranded  NetApp  FAS270 
supports  file-level  data  trans¬ 
fers  and  block-level  transfers 
done  via  the  Internet  SCSI  pro¬ 
tocol,  which  is  most  widely 


used  to  consolidate  backups 
from  farms  of  Wintel  servers. 

The  two  companies,  which 
announced  their  partnership 
in  April,  also  said  last  week 
that  IBM  will  introduce  an  ex¬ 
panded  product  line  based  on 
NetApp’s  hardware  during  this 
year’s  fourth  quarter  and 
phase  out  its  own  NAS  Gate¬ 
way  500  device  by  year’s  end. 

Nirav  Merchant,  director  of 
IT  at  Arizona  Research  Labo¬ 
ratories  in  Tucson,  currently 
runs  a  NAS  Gateway  500.  Mer¬ 
chant  said  he  likes  the  idea  of 
the  IBM/NetApp  alliance  be¬ 
cause  it  will  offer  him  access 
to  NetApp’s  technology  under 
IBM’s  service  and  support. 


“I  think  it’s  a  good  move  in 
the  right  direction,”  Merchant 
said.  He  added,  though,  that  he 
doesn’t  plan  to  make  any  addi¬ 
tional  NAS  purchases  for  the 
next  12  months  or  so. 


Similar  Partnerships 

Stanley  Zaffos,  an  analyst  at 
Gartner  Inc.,  said  the  similar! 
ties  between  the  EMC/Dell 
and  IBM/NetApp  partner¬ 
ships  are  striking.  IBM  and 
NetApp  teamed  up  because 
they  thought  that  together 
they  could  gain  market 
share  from  EMC  and  Dell 
faster  than  they  could  in-  ^ 
dependently,  he  said. 

“That’s  the  same  as¬ 
sumption  that  provided 
the  underpinnings  of  the 
EMC/Dell  relationship,” 
Zaffos  noted. 


IBM  has  made  a  number  of 
false  starts  in  the  NAS  market, 
including  the  rollout  of  the 
NAS  Gateway  500,  which  was 
introduced  early  last  year  but 
never  took  off  with  users,  ac¬ 
cording  to  analysts. 

“In  the  absence  of  [IBM] 
doing  something  themselves, 
which  they’ve  demonstrated 
over  the  last  five  to  seven  years 
they  couldn’t  do,  this  is  a 
strong  second,”  said  Arun 
Taneja,  an  analyst  at  The  Tane- 
ja  Group  in  Hopkinton,  Mass. 


IBM’s  TotalStorage  N3700 


The  N3700  is  due  to  ship 
late  this  month.  It  starts  at  a 
list  price  of  $50,000,  which  in¬ 
cludes  14  disk  drives  with  a  to¬ 
tal  storage  capacity  of  1TB. 
The  device  can  be  scaled  up  to 
a  maximiun  raw  capacity  of 
16.8TB,  IBM  said. 

Meanwhile,  EMC  last  week 
provided  details  about  a  series 
of  additions  and  upgrades  it  is 
making  to  its  Clariion  line  of 
midrange  disk  arrays,  which 
Dell  has  been  selling  and  in 
some  cases  manufacturing 
since  2002. 

EMC  announced  four  Clari¬ 
ion  “disk  libraries”  for  data 
archiving  and  upgraded  the 
product  line’s  internal  archi¬ 
tecture  from  a  Fibre  Chan¬ 
nel  arbitrated  loop  to  a 
point-to-point  architec¬ 
ture  in  an  effort  to  alle¬ 
viate  bottleneck  issues 
when  two  disks  request 
the  same  data.  O  56011 


..and  then  there’s  Inter  Centrino"  mobile  technology. 
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!M  Security 

based  provider  of  technology 
risk  management  and  other 
professional  services. 

“We  never  had  the  comfort 
level  that  we  could  scan  in¬ 
stant  messages  appropriately,” 
Robertson  said.  Another  fac¬ 
tor  that  contributed  to  the  de¬ 
cision  to  disable  the  IM  sys¬ 
tem  last  year  is  that  many 
of  the  company’s  employees 
work  at  client  locations,  he 
added.  Executives  from  Jeffer¬ 
son  Wells  didn’t  want  to  run 
the  risk  of  having  a  virus  or 
worm  infect  a  customer’s 
network. 

Jefferson  Wells  is  a  sub¬ 
sidiary  of  Manpower  Inc.  The 
decision  to  unplug  IM  was 
made  as  part  of  the  unit’s  eval¬ 
uation  of  whether  its  IT  con¬ 
trols  met  the  provisions  of 
Sarbanes-Oxley,  said  John 


Rostern,  New  York-based  di¬ 
rector  of  technology  risk  man¬ 
agement  at  Jefferson  Wells. 

Since  the  system  was  dis¬ 
abled,  the  company’s  IT  staff 
hasn’t  bothered  to  evaluate  the 
available  IM  security  tools  be¬ 
cause  it  isn’t  being  pushed  by 
workers  to  re-establish  IM, 
Robertson  said. 

Steve  Ross,  a  director  at  De- 
loitte  &  Touche  LLP  in  New 
York  and  a  past  president  of 
the  Information  Systems  Audit 
and  Control  Association,  said 
he  knows  of  two  Deloitte 
clients  that  have  disabled 
their  IM  systems  because  of 
Sarbanes-Oxley  concerns. 

Ross  declined  to  identify  the 
companies,  saying  only  that 
one  is  a  services  company  in 
the  southern  U.S.  and  the  oth¬ 
er  is  a  large  New  York-based 
insurer. 

Other  corporate  users  are 
taking  steps  to  strengthen  the 
data  security  and  archiving  ca- 


We  never  had 
the  comfort 
level  that  we 
could  scan  instant  mes¬ 
sages  appropriately. 


Sarbanes- 
Oxley  is  a 
wonderful 
vehicle  for  taking  things 
out  of  people’s  hands. 


scon  ROBERTSON,  MANAGER  OF 
CORPORATE  IT  OPERATIONS, 
JEFFERSON  WELLS  INTERNATIONAL 


GREG  HEDGES,  MANAGING 
DIRECTOR  OF  TECHNOLOGY  RISK, 
PROTIVmiNC. 


pabilities  of  their  IM  systems 
in  order  to  satisfy  Sarbanes- 
Oxley’s  requirements. 

For  example.  Chevron  Corp. 
is  moving  to  block  outside 
connections  to  an  IM  system 
used  within  one  of  its  operat¬ 
ing  units,  said  Jay  White,  glob¬ 
al  information  protection  ar¬ 
chitect  at  the  San  Ramon, 
Calif.-based  energy  company. 
The  expanded  effort  follows 
the  adoption  in  June  2003  of 
controls  for  maintaining  audit 
records  and  reducing  security 
risks  on  the  IM  system. 

“We  manage  our  own  IM 


system  internally  on  our 
WAN,  but  the  external  con¬ 
nections  have  presented  secu¬ 
rity  [issues],”  added  White, 
who  declined  to  identify  the 
business  unit  involved. 

Some  observers  contended 
that  companies  are  overreact¬ 
ing  to  Sarbanes-Oxley  by  dis¬ 
abling  IM.  “You  can’t  control  a 
phone  call,  so  I  don’t  see  what 
the  difference  is  between  IM 
and  a  phone  call,”  said  Diana 
McKenzie,  chairwoman  of  the 
IT  group  at  Chicago-based  law 
firm  Neal  Gerber  Eisenberg 
LLP.  “To  me,  it’s  not  logical.” 


Greg  Hedges,  managing  di¬ 
rector  of  technology  risk  at 
Protiviti  Inc.,  a  Menlo  Park, 
Calif. -based  company  that 
provides  internal  auditing  and 
business-risk  consulting  ser¬ 
vices,  said  some  companies 
have  disconnected  IM  systems 
under  the  pretense  of  comply¬ 
ing  with  Sarbanes-Oxley  in¬ 
stead  of  justifying  those  ac¬ 
tions  for  business  purposes. 

“Sarbanes-Oxley  is  a  won¬ 
derful  vehicle  for  taking  things 
out  of  people’s  hands,”  said 
Hedges,  who  added  that  some 
companies  have  applied  the 
same  rationale  for  disconnect¬ 
ing  wireless  systems. 

But  Ross  said  that  viruses 
embedded  in  instant  messages 
could  cripple  networks.  “Given 
that  [corporate]  management 
feels  the  necessary  controls 
haven’t  been  implemented  or 
can’t  be,”  he  said,  “unplugging 
instant  messaging  wouldn’t  be 
overkill.”  O  56025 


Continued  from  page  1 

Warehouses 

tools  from  GoldenGate  Soft¬ 
ware  Inc.  to  pull  information 
directly  from  its  business  sys¬ 
tems  into  the  data  warehouse, 
said  Jack  Garcella,  the  Salt 
Lake  City-based  retailer’s  vice 
president  of  data  warehousing, 
analytics  and  reporting. 

The  data  warehouse,  which 
is  based  on  NCR  Corp.’s  Tera- 
data  software,  will  replace  a 
process  that  used  traditional 
extract,  transform  and  load 
tools  to  build  reports  directly 
from  Overstock’s  back-end 
systems.  As  the  retailer  grew, 
the  reports  stressed  the  sys¬ 
tems  and  gave  employees  day- 
old  data,  Garcella  said.  Now 
the  data  warehouse  receives 
Web  site  clickstream  data  in 
real  time,  financial  and  prod¬ 
uct-sales  data  every  15  minutes 
and  other  information  hourly. 

“When  we  launch  cam¬ 
paigns  now,  we  can  look  with¬ 
in  five  minutes  and  see  if  they 
are  producing  lift  or  revenue 
that  would  not  normally  have 
happened,”  Garcella  said.  “You 
can’t  wait  until  the  next  day  or 
three  hours  later  to  get  that 
data.”  He  declined  to  specify 


how  much  Overstock  is  spend¬ 
ing  on  the  warehousing  proj¬ 
ect,  other  than  to  say  the  cost 
is  in  the  millions  of  dollars. 

Harrah’s  Entertainment  Inc. 
is  testing  a  real-time  data 
warehouse  that  combines  op¬ 
erational  and  historical  cus¬ 
tomer  data,  said  Tim  Stanley, 
the  Las  Vegas-based  gaming 
company’s  CIO. 

The  new  setup  is  based  on 
an  architecture  that  Harrah’s 
developed  in  mid-2002.  The 
company  is  using  adapters 
from  Tibco  Software  Inc.  to 


feed  information  from  trans¬ 
actional  systems  into  its  Tera- 
data  warehouse  to  help  work¬ 
ers  interact  with  customers 
at  Harrah’s  properties,  on  the 
phone  or  on  the  Harrah’s 
Web  site. 

.  “It  uses  Teradata’s  trans¬ 
actional  database  and  also  has 
direct  access  to  all  the  histori¬ 
cal  data,”  Stanley  said.  “You 
don’t  have  to  have  two  data¬ 
bases  talk  to  each  other.” 

Changing  Needs 

Eric  Rogge,  an  analyst  at  Ven- 
tana  Research  Inc.  in  San  Ma¬ 
teo,  Calif.,  said  that  because 
business  intelligence  tools  are 
being  used  more  often  for  op¬ 
erational  decision-making, 
many  companies  are  finding 
that  they  need  to  refresh  their 
data  warehouses  more  fre¬ 
quently  than  on  a  nightly  basis. 

“It’s  not  about  loading  a  data 
warehouse  so  a  small  depart¬ 
ment  of  business  analysts  can 
forecast  two  years  out  —  it’s 
for  daily  decisions,”  he  said. 

For  the  past  18  months, 
Avnet  Electronics  Marketing 
has  been  using  a  near-real¬ 
time  data  warehouse  that  cap¬ 
tures  orders  and  updates  of  lo¬ 
gistics  data  from  its  back-end 
system  every  15  minutes,  said 


Kevin  Harrington,  director  of 
IT  delivery  for  global  informa¬ 
tion  solutions  at  the  Phoenix- 
based  electronics  distributor. 

Avnet  uses  tools  from  Infor- 
matica  Corp.  to  move  the  data 
into  the  warehouse.  Because 
of  the  integration  infrastruc¬ 
ture,  it  took  only  24  hours  in 
late  July  to  begin  populating 
the  warehouse  with  order  and 
customer  information  from  a 
company  that  Avnet  recently 
acquired,  Harrington  said. 

But  not  all  users  find  they 
need  real-time  data  warehous¬ 
es.  Merial  Ltd.,  which  makes 
medications  for  pets  and  live¬ 
stock,  last  year  ditched  efforts 
to  create  a  real-time  system 
for  updating  sales  and  inven¬ 
tory  data  from  its  33  ERP  sys¬ 
tems  worldwide.  Although 
some  divisions  updated  in¬ 
voicing  information  daily,  oth¬ 
ers  did  so  only  weekly  or  at 
the  end  of  the  month,  said 
Steve  Lerner,  director  of  infor¬ 
mation  systems,  global  finance 
applications  and  integration  at 
Duluth,  Ga.-based  Merial. 

In  the  end,  the  company  de¬ 
cided  to  use  data  warehousing 
tools  from  Kalido  to  pull  data 
from  its  ERP  systems  once  a 
week.  “The  consensus  among 
the  business  users  was  that 


there  was  no  way  they  were 
prepared  to  make  business  de¬ 
cisions  based  on  sales  other 
than  on  a  weekly  basis,”  Lem- 
er  said.  O  56021 
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For  more  coverage  of  this  topic,  visit  our 
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Correction 

LAST  WEEK’S  cover  story  on 
the  risks  involved  in  transporting 
data  backup  and  archive  tapes  to 
external  storage  facilities  (“Lost, 
Stolen  or  Strayed’^  incorrectly 
spelled  the  name  of  Minneapolis- 
based  Xcel  Energy  Inc. 

IN  THE  “Ask  a  Premier  100  IT 
Leader"  item  on  the  Career 
Watch  page  in  last  week's  issue. 
Gilles  Bouchard  was  incorrectly 
identified  as  Hewlett-Packard 
Co.’s  CIO.  Bouchard  was  CIO 
and  executive  vice  president  of 
operations  at  HP  until  July  U. 
when  the  company  announced 
that  it  was  separating  those  jobs 
and  named  former  Dell  Inc.  CIO 
Randall  Mott  to  run  IT.  Bouchard 
remains  in  charge  of  HP’s  supply 
chain  operations. 
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DON  TENNANT 

Changing  of  the  Guard 


JULIE  SILVERSTEIN 

Keeping  User 
Groups  Altai 


AS  YOU  WERE  THUMBING  through  last 
week’s  issue,  or  scanning  the  news  sto¬ 
ries  on  our  Web  site,  you  may  well  have 
glossed  over  a  story  that  the  more  I 
think  about  it,  the  more  I’m  convinced 
is  one  you  really  should  have  read. 

I’m  referring  to  Thomas 


Hoffman’s  story  titled 
“School  System  Uses  Gov¬ 
ernance  Apps  to  Stretch 
IT  Staff”  [QuickLink 
55842].  No,  I’m  not  kid¬ 
ding.  Yes,  you  need  to  care 
what  the  public  school 
system  in  Chicago  is  do¬ 
ing  with  IT  governance 
and  portfolio  manage¬ 
ment.  Why?  Because  the 
school  system  is  taking 
a  hosted-applications 
approach  to  the  problem, 
and  that’s  saving  it  $200,000  a  year. 

Yeah,  I  know,  $200k  is  a  rounding 
error  in  your  IT  budget.  The  point  is, 
those  savings  scale,  big  time.  And  if 
you  haven’t  already  done  so,  you  need 
to  start  thinking  about  how  you’re  go¬ 
ing  to  offload  some  of  those  over¬ 
priced  business  apps  that  you’re  pay¬ 
ing  a  fortune  to  maintain  in-house. 

Last  week,  I  had  an  intriguing  dis¬ 
cussion  with  Greg  Gianforte,  founder 
and  CEO  of  RightNow  Technologies, 
an  on-demand  CRM  vendor  that  does 
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“on-premise”  software 
vendors  to  offer  the  host¬ 
ed  option.  These  are  the 
reasons  he  gives: 

■  The  software  has  to 
be  rewritten  for  “multi¬ 
tenancy”  so  that  hun¬ 
dreds  or  thousands  of 
clients  can  share  a  com¬ 
mon  IT  infrastructure. 

■  “The  whole  ecosys¬ 
tem  consists  of  systems 
integrators  that  are  para¬ 
sites  that  feed  on  the 
complexity  of  the  appli¬ 
cations.”  For  traditional  software  ven¬ 
dors  to  really  embrace  this  model, 
they’d  have  to  alienate  their  existing 
partners. 

■  The  on-demand  approach  is  a 
pay-as-you-go  model.  The  difficulty 
here  is  that  “when  you’re  used  to  get¬ 
ting  all  of  your  money  upfront,  it’s 
hard  to  make  the  transition  to  this 
model  and  keep  Wall  Street  happy.” 

■  When  you  get  paid  along  the  way, 
if  you’re  not  making  the  customer 


happy,  you  don’t  get  the  renewal.  “I’d 
hate  to  think  what  SAP’s  or  Siebel’s 
renewal  rates  would  be  if  it  was  de¬ 
pendent  on  the  success  of  their  de¬ 
ployments.” 

What  this  means  is  that  we’re  likely 
to  see  more  and  more  start-ups  offer¬ 
ing  Web-based,  on-demand  services. 
A  perfect  example  is  the  venture  be¬ 
ing  pursued  by  Damien  Bean,  a  Com¬ 
puterworld  Premier  100  IT  Leader 
and  former  vice  president  of  corpo¬ 
rate  systems  at  Hilton  Hotels.  Bean 
left  Hilton  to  start  CareerCurrency 
(.www.careercurrency.com),  an  outfit 
that  hosts  e-learning  applications  for 
corporate  customers. 

“I’m  certain  that  the  days  of  large 
IT  departments  being  responsible  for 
all  of  an  organization’s  data  manage¬ 
ment  needs  are  over,”  Bean  told  me 
last  week.  “Information  service  pro¬ 
viders  can  offer  far  greater  focus  and 
capacity  at  a  cost  structure  that  is  a 
fraction  of  that  required  to  maintain 
systems  internally.” 

Consequently,  Gianforte  says, 
“there’s  going  to  be  a  changing  of  the 
guard  of  primary  vendors  who  supply 
enterprise  applications.”  I,  for  one, 
salute  the  very  thought.  O  55990 


40%  of  its  business  with  companies 
with  revenue  of  more  than  $1  billion. 
You  can  go  to  RightNow’s  Web  site 
(www.rightnow.com)  and  read  the  tes¬ 
timonials  from  market  research  firms 
and  from  large  corporations  that  are 
saving  obscene  amounts  of  money  by 
taking  the  hosted-applications  route. 
But  just  to  give  you  an  idea,  Audiovox 
says  it  saved  more  than  $2.7  million 
over  three  years,  with  an  indepen¬ 
dently  audited  ROI  of  1,989%.  Talk 
about  reducing  your  overhead. 

So  when  savings  of  this  magnitude 
are  at  stake,  why  isn’t  the  on-demand, 
software-as-a-service  model  more 
widely  adopted  than  it  is?  Gianforte 
makes  a  very  compelling  argument 
that  it  all  has  to  do  with  the  fact  that 
it’s  nearly  impossible  for  traditional 


A  FEW  WEEKS  AGO, 
Interex,  one  of  four 
Hewlett-Packard  tech¬ 
nology  user  groups,  shut  itself 

down.  This  is  a  good  time,  then,  to  ex¬ 
amine  what  user  groups  need  to  do 
to  deliver  sustained  value  to  their  key 
stakeholders  —  their  members  and 
vendors  —  and  how  they  can  remain 
strong  and  relevant.  SmithBucklin  re¬ 
cently  conducted  interview-based  re¬ 
search  to  understand  fully  the  answers 
to  those  questions. 

For  vendors,  user  groups  offer  tangi¬ 
ble,  quantifiable  benefits.  Vendors  say 
user  groups  help  them  reduce  the  cost 
of  communicating  key  messages  to 
users,  minimize  technical  support  ex¬ 
penses,  generate  sales  leads,  strength¬ 
en  inroads  with  business  partners,  and 
create  efficiencies  in 
capturing  market 
feedback,  product 
evaluations  and  com¬ 
petitive  input. 

Equally  important 
are  less  tangible  ben¬ 
efits.  Vendors  place 
an  enormous  value 
on  user  groups  for 
the  unique  customer 
mind-share  they  cre¬ 
ate  and  the  relation¬ 
ships  they  foster. 

This  translates  into 
more  loyal  customers 
and  opportunities 
for  additional  sales. 

To  remain  suc- 
cessfiil,  user  groups  must  also  deliver 
sustained  value  to  their  members.  For 
example,  they  provide  intimate  access 
to  the  leading  minds,  technology  and 
information  in  the  industry,  exposing 
members  to  critical  business  solutions 
and  technologies  that  can  save  their 
companies  money.  Effective  user 
groups  repurpose  this  content  on  an 
ongoing  basis,  creating  a  year-round 
community  that  doesn’t  rely  solely  on 
face-to-face  gatherings  to  deliver  value. 

Our  research  shows  that  the  benefits 
received  by  members  —  for  both  the 
companies  they  represent  and  for 
themselves  —  should  be  greater  than 
their  investment  of  time  and  money  in 
the  user  group.  Strong  groups  follow 
this  rule.  To  do  this,  they  must  contin¬ 
ually  ask  their  members  to  assess  the 
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value  they  are  deriving  from  their 
membership  and  be  willing  to  change 
their  offerings  in  response  to  this  in¬ 
put.  In  addition,  user  groups  must 
communicate  their  value  propositions 
to  members  at  every  opportunity. 

User  groups  must  also  learn  to  iden¬ 
tify  and  avoid  certain  pitfalls.  Those 
with  weak  vendor  relationships  either 
fail  or  end  up  continuously  struggling 
through  unfocused  and  sometimes  ad¬ 
versarial  relationships  with  their  ven¬ 
dor.  On  the  other  side  of  the  equation, 
if  a  vendor’s  primary  approach  to  these 
groups  is  reactive  rather  than  one  of 
driving  initiatives  through  the  user 
group  community,  that  vendor  is  in 
danger  of  fostering  a  negative  relation¬ 
ship.  Effective  user  groups  take  the 
lead  in  building  positive  relationships. 

Strong  user  groups  are  —  and  will 
continue  to  be  —  a  vital  industry  force, 
consistently  delivering  significant  val¬ 
ue  to  their  stakeholders.  For  example, 
the  McKesson  Corp.  health  care  user 
group.  Insight,  created  a  new  type  of 
vendor  partnership  involving  four  key 
McKesson  partners  —  Oracle,  Dell,  In¬ 
tel  and  SearchAmerica.  Called  V3,  the 
partnership  gives  InSight  members  a 
unique  look  into  technologies  the 
four  companies  bring  to  large-scale 
McKesson  implementations.  Another 
example  is  the  Americas’  SAP  Users’ 
Group,  which  created  an  online  mem¬ 
ber  resource  called  Year-Round  Com¬ 
munity  that  fosters  ongoing  communi¬ 
cation  among  members  and  serves  as 
an  excellent  way  to  deliver  programs, 
services  and  vital  content. 

In  an  ever-changing  industry  filled 
with  marketplace  uncertainty  and 
mounting  economic  pressures,  the  val¬ 
ue  these  groups  provide  has  managed 
to  remain  one  of  the  few  constants. 

The  trick  is  to  make  sure  that  the  win¬ 
ning  equation  of  user  groups  is  in 
place.  Committed  vendors  working 
with  committed  users  will  yield  maxi¬ 
mum  value  for  all  involved.  O  55899 

MICHAEL 

GARTENBERG 

These  Are 
The  Days, 
My  Friend 

The  poet  Robert  Frost 
wrote,  “Why  abandon 
a  belief  merely  because 
it  ceases  to  be  true?”  A  few 


months  back,  I  talked  about 
things  I  missed  about  older 
products  [“There’s  a  Scar¬ 
city  of  Great  Stuff,”  Quick- 
Link  54487].  Sometimes  I 
find  myself  sounding  a  lot 
like  my  dad  romanticizing 
the  good  old  days.  But  af¬ 
ter  giving  it  a  little  thought, 

I  have  to  admit  that  the 
good  old  days  weren’t  al¬ 
ways  so  good,  and  what 
we’ve  got  now  isn’t  bad. 

Let’s  look  at  a  few  things, 
then  and  now. 

My  desktop  PC:  Ten  years 
ago,  I  was  using  a  133-MHz 
Pentium,  with  16MB  of 
RAM,  a  250MB  hard  disk 
and  an  SVGA  monitor.  It  did 
productivity  applications 
pretty  well,  but  that’s  about 
it.  Today,  I  use  a  3-GHz  P4 
with  1GB  of  RAM  and  200GB  of  hard¬ 
disk  space  connected  to  a  42-in.  dis¬ 
play.  It  can  do  productivity  applica¬ 
tions,  but  it  also  records  all  my  TV 
shows  and  holds  my  entire  music  col¬ 
lection  and  every  photo  I’ve  taken 
since  1995. 

My  laptop:  In  1995, 1  used  a  PowerBook 
540c.  It  was  a  pretty  heavy  computer, 
had  a  floppy  drive  and  got  about  an 
hour  of  battery  life.  It  connected  me  on 


the  road  if  I  was  near  a 
phone  jack  or  an  Ethernet 
connection.  The  ThinkPad 
I’m  using  today  gets  six 
hours  of  battery  life,  con¬ 
nects  if  there’s  a  phone  or 
Ethernet  and  uses  Wi-Fi  or 
EV-DO  if  there’s  not.  It  has 
enough  disk  space  to  keep 
all  my  work  as  well  as  my 
music  collection  and  a  few 
videos  to  watch  on  the 
road.  It  also  weighs  less 
than  4  pounds. 

My  PDA:  Ten  years  ago,  I 
used  a  Newton  from  Apple. 
It  had  a  great  operating 
system  but  was  bulky,  ran 
down  AA  batteries  quickly 
and  couldn’t  synchronize 
with  my  PC  to  keep  my 
contacts  and  calendar. 

My  PDA  today  is  a  Palm 
LifeDrive  that  has  4GB  of  storage.  It 
syncs  not  only  my  calendar  and  con¬ 
tact  information,  but  also  every  busi¬ 
ness  document  on  my  PC,  and  it  has 
copies  of  every  picture  on  my  comput¬ 
er  formatted  for  its  screen  and  a  few 
hundred  songs  to  listen  to.  It  also  lets 
me  play  an  arcade-perfect  version  of 
Pac-Man. 

My  phone:  My  bulky  cell  phone  10 
years  ago  had  to  go  in  my  laptop  bag.  It 


let  me  talk  for  about  an  hour,  if  I  was 
lucky  enough  to  get  reception.  Today, 
my  smart  phone  is  tiny  and  fits  in  my 
pocket.  It  carries  a  copy  of  my  contacts 
and  calendar  and  can  even  be  used  for 
e-mail  triage.  It  gets  more  than  four 
hours  of  talk  time  and  works  in  most 
parts  of  the  world. 

I  could  go  on.  I  could  talk  about 
servers  then  and  now  or  digital  cam¬ 
eras.  In  just  about  any  category  you 
can  think  of,  we’ve  benefited  from  the 
indefatigable  effects  of  Moore’s  Law, 
and  the  result  is  that  every  digital  de¬ 
vice  we  use  is  simply  better,  faster,  big¬ 
ger  where  it  counts,  smaller  when  that 
helps  and  more  powerful  than  it  was 
just  a  few  years  ago.  That  has  enabled 
us  to  do  more,  though  it  has  added 
complexity. 

Yes,  sometimes  I  still  feel  nostalgia 
for  the  good  old  days,  but  then  I  use 
my  Bluetooth-enabled  car  to  reroute 
my  calls  automatically  or  a  high-speed 
EV-DO  connection  from  my  laptop 
to  watch  and  control  the  TiVo  in  my 
den  when  I’m  stuck  at  the  airport. 

The  feeling  of  nostalgia  passes  quickly. 
O  55798 
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CEO’s  Absence  at  HP  Event  Not  So  Absurd 


I  DON’T  find  it  odd  that  new  HP 
CEO  Mark  Hurd  won’t  be  attend¬ 
ing  his  own  event  [“No  Hurd?  Ab¬ 
surd,”  QuickLink  55548].  After  all, 
he  is  relatively  new  to  HP,  and  he 
doesn’t  have  an  understanding  of 
the  historical  background. 

HP  and  its  customers  had,  for 
many  years,  a  very  strong  level  of 
commitment  and  cooperation.  The 
user  conferences,  local  meetings 
and  SIG  meetings  were  all  aimed  at 
getting  feedback  from  the  user 
community.  This  doesn’t  seem  to 
be  the  case  anymore.  Macworld 
and  Oracle  OpenWorld  are  just 
about  showcasing  new  products. 
The  vendors  have  been  working 
toward  changing  the  way  we  pur¬ 
chase  and  the  needs  we  have; 
computers,  software  and  peripher¬ 
als  are  commodities.  The  real  mon¬ 
ey  is  in  services.  I  miss  the  old 
days  when  John  Young  and  Dave 
Packard  would  stroll  through  the 
room  and  chat  with  us  customers. 


I  shared  many  a  conversation  with 
people  from  HP  Labs  and  was  able 
to  do  more  with  the  resources  I  in¬ 
vested  in.  So,  Messrs.  Hurd,  Jobs, 
Dell  and  the  rest:  Thanks  tor  not  lis¬ 
tening  to  us  anymore;  we’re  just  the 
consumer. 

John  T.  Monaghan 

Vice  president  of  IT, 

Marnell  Corrao  Associates, 
Las  Vegas,  jmonaghan@ 
mamellcorrao.com 

AS  A  long-standing  member  of 
Interex  who  has  attended  vari¬ 
ous  conferences,  beginning  with 
the  one  in  Anaheim  in  1984, 1  was 
disappointed  that  the  then-CEO  of 
HP,  John  Young,  wasn’t  at  my  first 
Interex/HP  World  Conference. 

During  the  following  21  years,  the 
CEO  was  not  always  in  attendance. 
In  fact,  Carly  Fiorina  declined  to  at¬ 
tend  the  2000  event,  even  though 
she  was  in  New  York  the  day  the 
conference  opened.  It  was  the  day 


HP  unveiled  the  SuperDome,  and 
the  press  and  Wall  Street  were  well 
served.  Fiorina  did  attend  the  Chica¬ 
go  2001  and  Atlanta  2003  confer¬ 
ences.  albeit  tor  only  the  keynote 
speech  and  a  quick  walk  through 
the  exhibit  area.  In  1999,  both  Fiori¬ 
na  and  the  outgoing  CEO.  Lew  Platt, 
attended  the  annual  conference. 
During  that  conference,  I  was  a  vol¬ 
unteer  leader  for  Interex,  serving  as 
the  chair  of  the  High  Availability  Fo¬ 
rum,  and  got  to  spend  time  with 
both  HP  leaders.  I  too  hope  that 
Mark  Hurd  will  reconsider  and  at¬ 
tend  the  HP  Technology  event,  even 
though  I  will  not  be  able  to  do  so. 
Chuck  Ciesinski 
HP-UX  architect. 

Board  member,  OpenMPE, 
Germantown,  Md. 


IT  Must  Help  Make 
People  Less  Useless 

That  great  article  [“The  Truth 
About  ’Useless’  People.”  Quick- 
Link  55069]  reminds  us  what  our 


true  purpose  is  in  the  IT  realm  -  to 
educate,  to  foster  technical  growth 
and  to  mentor  our  peers  through 
leadership.  We  cannot  forget  for 
one  second  that  not  everyone  might 
understand  technospeak  as  we  try 
to  explain  “simple"  issues  to  the 
masses. 

Christian  Markley 

IT  trainer,  TH.  Properties, 
Harleysville,  Pa., 
Christian.Markley@ 
thproperties.com 
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QUiCKSTUDY 

Markup  Languages 

These  languages  use  sets  of  embedded  tags  or 
labels  to  characterize  text  elements  within  a 
document  and  thereby  indicate  their  appear¬ 
ance,  function,  meaning  or  context.  Page  30 


SECURITY  MANAGER’S  JOURNAL 

Dealing  With  an  ISO 
Who’s  Only  So-So 

C.J.  Kelly  confronts  her  agency’s 
information  security  officer,  who’s 
weak  in  most  technical  areas.  Page  32 


OPINION 

Time  for  a  New  View 
Of  Data  Management 

Curt  A.  Monash  says  that  database  management 
is  in  crisis  and  the  only  way  out  is  a  radically 
different  view  of  data  management.  Page  36 


RICHARD  DOWNS 


Insider  security  risks  grow  as 
partners  and  suppliers  increas¬ 
ingly  have  access  to  corporate 
networks.  Here’s  what  compa¬ 
nies  are  doing  about  the  threat. 
By  Jaikumar  Vijayan 

The  fear  of  corporate  data  being 
stolen  or  accidentally  leaked  by 
insiders  is  what  keeps  Andreas 
Wuchner-Bruhl  awake  at  night. 

Detecting  and  stopping  such 
leaks  is  an  enormous  challenge,  es¬ 
pecially  for  large  companies  with 
widely  distributed  data  stores  and  networks, 
says  Wuchner-Bruhl,  head  of  global  IT  se¬ 
curity  at  Novartis  Pharma  AG,  a  $25  billion 
drug  maker  in  Basel,  Switzerland. 

These  days,  the  problem  is  even  tougher 
because  it’s  no  longer  just  the  disgruntled 
or  malicious  employee  who  poses  the  inter¬ 
nal  threat,  says  Wuchner-Bruhl.  It’s  also  the 
careless  user,  the  outside  hacker  posing  as  a 
trusted  user  and  others  with  inside  access 
to  enterprise  networks,  such  as  suppliers, 
partners  and  service  providers. 


As  a  result,  companies  must  take  a  fresh 
look  at  the  scope  of  the  insider  threat  and 
;  figure  out  what  new  technology,  processes 
and  administrative  controls  they  need  to 
implement  to  deal  with  it,  says  Wuchner- 
Bruhl.  “Security  people  like  to  give  the 
impression  that  things  are  under  control,” 
he  says.  “But  the  fact  is,  there  are  so  many 
things  we  don’t  even  begin  know”  about 
internal  threats. 

Wuchner-Bruhl  is  among  a  growing  num¬ 
ber  of  security  managers  who  are  looking  to 
see  what  new  controls  are  needed  at  a  time 
when  internal  attacks  on  corporate  informa¬ 
tion  systems  are  increasing.  In  fact,  at  many 
of  the  world’s  largest  financial  services  com¬ 
panies,  such  attacks  have  already  surpassed 
external  attacks,  according  to  Deloifte 
Touche  Tohmatsu’s  June  report  on  its  2005 
Global  Security  Survey.  In  the  surv'cy  of 
Fortune  100  companies,  34%  of  the  respon¬ 
dents  said  they  had  experienced  internal  at¬ 
tacks  in  the  past  12  months,  compared  with 
14%  in  2004.  In  contrast,  only  26%  reported 
external  attacks  in  the  past  12  months. 

“Insider  attacks  are  the  most  difficult  to 
catch  because  these  are  legitimate  users  us¬ 
ing  their  legitimate  access  for  inappropriate 
Continued  on  pa^7e  26 
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Mr.  50,000  Global 
Remote  and  Mobile 
Users  Connected 
Without  a  VPN. 


NISSAN 


"At  Nissan,  we  expect  to  save  at  least  $135  million  annually 
thanks  to  the  efficiencies  that  Windows  Server  2003  and 
Exchange  Server  2003  are  helping  us  achieve." 


Toshihiko  Suda 

Senior  Manager,  Nissan  Motor  Company,  Ltd. 


Make  a  name  for  yourself  with  Windows  Server  System. 

An  upgrade  to  Microsoft  Windows  Server  System 
made  it  possible  for  50,000  worldwide  employees 
at  Nissan  Motor  Company  to  have  more  secure 
remote  access  to  their  e-mail  and  calendars 
from  any  Internet  connection,  without  the  hassle 
and  expense  of  a  VPN.  Here's  how:  By  deploying 
Windows  Server  2003  and  Exchange  2003,  not  only 
did  Nissan  IT  meet  the  CEO's  demand  for  better  global 
collaboration,  they  expect  to  save  at  least  $135  million 
by  streamlining  their  messaging  infrastructure. 
To  get  the  full  Nissan  story  or  find  a  Microsoft 
Certified  Partner,  go  to  microsoft.com/wssystem 


Windows  Server  System'”  includes: 


Server  Platform 


Windows  Server" 


Microsoft* 


Windows 
Server  System 


Virtualization 

Virtual  Server 

Data  Management  &  Analysis 

SQL  Server" 

Communications 

Exchange  Server 

Portals  &  Collaboration 

Office  SharePoinf  Portal  Server 

Integration 

BizTalk*  Server 

Management 

Systems  Management  Server 

Microsoft'  Operations  Manager 

Security 

Internet  Security  &  Acceleration  Server 

Plus  other  software  products 
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purposes,”  says  Pete  Lindstrom,  an 
analyst  at  Spire  Security  LLC  in  Mal¬ 
vern,  Pa.  “They  tend  to  have  the  high¬ 
est  impact,  since  they  are  insiders  with 
access  and  they  know  where  the  valu¬ 
able  information  is.” 

Know  the  Enemy 

Understanding  that  it’s  not  just  the  dis¬ 
gruntled  employee  who  poses  the  in¬ 
sider  risk  is  a  good  place  to  start  ad¬ 
dressing  the  problem,  says  Jonathan 
Bingham,  president  and  chief  technol¬ 
ogy  officer  at  Intrusic  Inc.,  a  Waltham, 
Mass.-based  security  products  vendor. 

Very  often,  the  more  sophisticated 
inside  attacks  are  launched  by  out¬ 
siders  who  have  stolen  legitimate  user 
credentials  and  then  use  them  to  gain 
access  to  high-value  targets,  says  Bing¬ 
ham.  For  example,  selectively  planted 
Trojan  horse  programs  were  used  to 
collect  the  usernames  and  passwords 
of  highly  privileged  users  at  more  than 
300  critical  infrastructure  companies 
in  the  U.K.  earlier  this  year.  The  cre¬ 
dentials  were  then  used  by  hackers  to 
gain  access  to  high-value  systems.  Be¬ 
cause  such  targeted  attacks  generate 
much  less  traffic  than  mass  attacks, 
they  are  harder  to  detect  using  tradi¬ 
tional  antivirus  and  e-mail  filtering 
tools,  users  say  (see  related  story, 
QuickLink  55220). 


The  growing  interconnectedness  of 
enterprise  networks  also  means  it’s  not 
just  the  employee  who  has  access  to 
internal  assets.  “We  can  have  a  situa¬ 
tion  where  a  guy  who  has  legitimate 
access  for  a  day  can  plant  a  back  door 
on  our  systems  and  log  in  at  will  later,” 
says  Jeff  Nigriny,  chief  security  officer 
at  Exostar  Inc.,  a  business-to-business 
portal  for  the  aerospace  industry  in 
Herndon,  Va. 

Detecting  the  telltale  signs  of  such 
activity  requires  a  deeper  analysis  of 
network  traffic  and  behavior  than  most 
traditional  security  technologies  pro¬ 
vide,  Nigriny  says. 

Nigriny’s  company  is  using  a  hard¬ 
ware  appliance  from  Intrusic  called 
Zephon  to  analyze  network  traffic  at 
the  packet,  session,  host  and  environ¬ 
ment  levels.  Such  monitoring  allows 
companies  like  Exostar  to  identify  sus¬ 
picious  internal  network  activity  such 
as  data  flows  going  in  the  wrong  direc¬ 
tion,  servers  consuming  data  instead  of 
producing  it  and  computers  communi¬ 
cating  with  one  another  where  no  such 
communication  existed  previously, 
Bingham  says. 

Malicious  insiders  use  network  re¬ 
sources  in  subtly  different  ways  from 
normal  users.  Intrusic’s  tool  is  de¬ 
signed  to  detect  such  “illegal  move¬ 
ment  of  a  sophisticated  individual 
within  a  network,”  Bingham  says. 


“It  looks  for  things  down  at  the  Level 
2  and  Level  3  layers.  It  doesn’t  care 
what  the  application  is,”  says  Nigriny. 
The  tool  can  be  used  to  identify  issues 
as  varied  as  a  misconfigured  firewall, 
an  employee  downloading  porn  or 
someone  attempting  to  upload  confi¬ 
dential  data  to  an  external  server  in  an 
HTTP  stream,  he  says. 

What’s  Going  Out 

Network  egress  filtering  is  another 
way  of  finding  out  whether  protected 
data  is  leaving  corporate  boundaries  in 
an  illegal  fashion,  says  Jeff  Karafa,  chief 
financial  officer  at  Community  Bank  of 
Dearborn  in  Michigan. 

The  bank  uses  a  hardware  appliance 
from  Reconnex  Inc.  in  Mountain  View, 
Calif.,  to  examine  outgoing  corporate 
e-mail,  Web  mail,  instant  messages  and 
Web  posts  for  confidential  data  such  as 
customer  account  numbers. 

Like  other  products  in  its  class, 
Reconnex’s  iGuard  technology  uses  a 
combination  of  exact  data  matching, 
contextual  analysis  and  policy  infor¬ 
mation  to  alert  administrators  when 
specific  pieces  of  protected  informa¬ 
tion  traverse  the  network.  Such  alerts 
can  be  useful  in  identifying  both  mali¬ 
cious  leaks  and  accidental  ones  — 
such  as  an  employee  sending  a  file 
containing  confidential  information  to 
his  personal  e-mail  account  so  he  can 
work  on  it  at  home. 

The  amount  of  data  that  trickles  out 
in  such  fashion  can  be  surprising, 
Karafa  says.  “We  thought  we  were  do¬ 
ing  pretty  well  on  our  own”  in  detect¬ 
ing  such  leaks,  he  says.  But  then  the 
bank  tested  Reconnex’s  egress-filtering 
tool  and  noticed  how  much  sensitive 
information  was  slipping  out,  often  as 
a  result  of  employees  making  mistakes. 
In  one  case,  an  employee  was  found  to 
be  sending  customer  account  informa¬ 
tion  to  a  former  worker  and  was 
promptly  fired,  Karafa  says. 

“When  that  data  was  presented  to 
us,  it  was  something  of  an  eye-opener,” 
says  Karafa,  who  also  uses  the  Recon¬ 
nex  tool  to  monitor  the  Web  surfing 
habits  of  employees. 

But  content-monitoring  tools  don’t 
always  scale  well  and  are  of  limited  use 
in  environments  where  network  traffic 
is  encrypted,  says  Wuchner-Bruhl.  He 
is  considering  using  digital  rights  man¬ 
agement  technologies  to  tag  confiden¬ 
tial  data  and  intellectual  property  in 
order  to  control  how  it  is  accessed  and 
used.  DRM  tools,  which  are  available 
from  vendors  such  as  Microsoft  Corp., 
Authentica  Inc.  and  Liquid  Machines 
Inc.,  are  designed  to  let  companies 
track  how  data  is  used  and  prevent  em¬ 


ployees  who  don’t  have  the  right  privi¬ 
leges  from  doing  things  like  reading, 
altering,  copying,  printing  and  for¬ 
warding  data. 

For  the  Money 

Financial  motives  appear  to  be  a  pri¬ 
mary  driver  in  a  growing  number  of 
insider  attacks,  says  Bingham.  One 
example  of  that  trend  is  the  theft  of 
information  on  about  60,000  Bank  of 
America  Corp.  customers  by  a  New 
Jersey-based  data-theft  ring  that  had 
also  stolen  information  from  three 
other  banks  —  Wachovia  Corp.,  Com¬ 
merce  Bancorp  Inc.  and  PNC  Bank  NA 
[QuickLink  54542].  The  ring’s  mem¬ 
bers  included  seven  former  employees 
from  across  the  four  banks. 

Most  such  inside  attacks  are  plaimed 
in  advance  and  can  be  prevented  if  the 
right  controls  are  in  place,  according  to 
a  report  released  in  May  by  the  U.S. 
Secret  Service  and  Carnegie  Mellon 
University’s  CERT  Coordination  Cen¬ 
ter.  Good  configuration  management 
practices,  for  instance,  allow  compa¬ 
nies  to  identify  unauthorized  changes 
to  software  or  the  creation  of  unautho¬ 
rized  remote-access  accounts,  both  of 
which  could  portend  trouble,  the  re¬ 
port  says.  Segregating  the  duties  of 
systems  administrators  and  privileged 
users  is  another  way  of  ensuring  that  a 
single  person  doesn’t  have  unbridled 
access  to  network  resources,  according 
to  the  report. 

It’s  also  important  to  have  the  right 
processes  in  place  for  disabling  net¬ 
work  access  when  employees  are  ter¬ 
minated,  notes  the  report,  which  is 
based  on  an  investigation  of  49  cases 
of  insider  attacks  via  computer  sys¬ 
tems  in  critical  infrastructure  sectors 
between  1996  and  2002. 

Many  inside  attacks  continue  to  be 
the  work  of  disgruntled  employees  and 
former  workers  who  still  have  access 
to  corporate  systems  after  they  leave, 
according  to  the  CERT  report. 

In  many  cases,  the  triggers  for  such 
attacks  are  negative  work-related  inci¬ 
dents  that  could  be  addressed  via  for¬ 
mal  human  resources  processes  for 
handling  employee  grievances,  and 
by  reporting  suspicious  behavior,  the 
report  says. 

Companies  need  to  use  access  con¬ 
trol  and  account  provisioning  tools  to 
identify  and  close  the  “orphan  ac¬ 
counts”  that  are  left  behind  when  em¬ 
ployees  leave  or  are  terminated.  The 
failure  to  close  such  accounts  gives 
former  employees  an  entry  into  the 
corporate  network. 

Training,  user  awareness  and  admin¬ 
istrative  measures  are  perhaps  as  im- 


ATTMKSMEM 


; '  ,  that  can  result 

from  an  insider  attack,  carrying  one  out 
doesn’t  always  take  a  lot  of  technologi¬ 
cal  savvy,  according  to  security  experts. 

Most  of  the  more  traditional  attacks 
involving  disgruntled  employees  result 
from  companies  failing  to  shut  down 
network  access  privileges  after  an  em¬ 
ployee  has  been  terminated  or  has  left 
the  company,  according  to  a  report  re¬ 
leased  in  May  by  the  U.S.  Secret  Service 
and  the  CERT  Coordination  Center. 

In  the  49  incidents  studied,  the  insid¬ 
ers  were  often  systems  administrators 
or  privileged  users  who  knew  their  way 
around  their  network  and  already  had  a 
good  idea  of  where  the  important  infor¬ 
mation  was.  So  there  often  was  little 
'  need  for  scanning  activity  or  sophisti¬ 
cated  programming  to  access  key  data. 

Many  times,  the  attacks  take  advan- 
;tage  of  process  holes  -  such  as  a  failure 
to  vet  who  has  access  to  critical  infor¬ 
mation  -rather  than  technological  ones, 
.  according  to  Security  experts. 


Easy 


Even  the  relatively  sophisticated  at¬ 
tacks  by  outsiders  posing  as  trusted  in¬ 
siders  rely  heavily  on  human  factors  to 
succeed.  Many  such  attacks  use  phish¬ 
ing  and  pharming  methods  to  get  unsus¬ 
pecting  users  to  part  with  network  cre¬ 
dentials  that  are  then  used  to  gain  ac¬ 
cess  to  high-value  targets. 

There  are  also  many  fairly  straight¬ 
forward  ways  that  data  can  be  taken  out 
of  enterprises  without  anyone’s  knowl¬ 
edge,  says  Andreas  Wuchner-Bruhl, 
head  of  global  IT  security  at  drug  maker 
Novartis  Pharma.  They  include  using  file 
transfers,  sending  data  in  e-mail  attach¬ 
ments  and  uploading  data  to  remote  sys¬ 
tems.  The  ubiquity  of  high-capacity 
small-format  storage  devices  such  as 
USB  fobs,  writable  CDs  and  handheld 
devices  makes  it  easy  for  people  to 
download  large  amounts  of  data  and 
simply  walk  away  with  it  with  very  little 
traceability,  Wuchner-Bruhl  says. 

-  Jaikumar  Vijayan 


SOURCE:  -MAZU  NETWORKS  INTERNAL  THREAT  REPORT."  MARCH  2006 
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In  a  survey  commissioned  by  Mazu 
Networks  Inc.  in  Cambridge,  Mass., 
security  professionals  who  have  had 
internal  security  breaches  reported  the 
following  consequences: 


Breach  led  to  the  interruption  40% 


of  a  critical  business  system 

Breach  resulted  In  data 
corruption  or  loss 

Breach  led  to  inteOectual 
property  theft 


38% 

17% 


iRABILITIES 


The  same  security  professionals  claim 
to  have  found  the  following  network 
vulnerabilities  over  the  past  12  months: 


Active  user  accounts  that 
belonged  to  ex-employees 

46% 

Mlsconfigured  hosts  or 
networking  equipment 

44% 

Rogue  wireless 
access  points 

31% 

Network  nodes  with  default  aiyy. 
passwords  enabled  £Xm  ■ 


BASE:  IT  security  professionals  at  229  companies  with 
more  than  1,000  employees.  Multiple  responses  allowed. 


portant  as  technology  when  it  comes 
to  dealing  with  insider  risks,  says  Kim 
Milford,  information  security  manager 
at  the  University  of  Rochester  in  New 
York. 

Outside  hackers  are  increasingly  us¬ 


ing  social  engineering  methods,  such 
as  spoofed  e-mails  and  Web  sites,  to 
lure  people  into  disclosing  sensitive  in¬ 
formation  and  user  credentials.  These 
so-called  phishing  and  pharming  ex¬ 
ploits  are  now  among  the  top  security 


concerns  of  the  fmancial  companies  in 
the  Deloitte  survey. 

The  efficacy  of  such  methods  on  un¬ 
trained  users  can  be  alarming,  says 
Jason  Jones,  a  webmaster  at  a  private 
university  in  Texas  that  he  asked  not 
be  named.  In  a  test  earlier  this  year, 
Jones  and  his  team  managed  to  harvest 
authentication  credentials  from  over 
90%  of  targeted  individuals  by  using 
spoofed  e-mail  and  Web  pages  de¬ 
signed  to  look  as  though  they  were 
from  the  university’s  IT  security  team. 

Educating  and  training  employees 
about  such  issues  is  key,  Milford  says. 
It’s  also  vital  that  employees  know  se¬ 
curity  policies  and  the  consequences 
of  misusing  corporate  data  and  net¬ 
work  resources,  says  Wuchner-Bruhl. 

Technological  measures  are  impor¬ 
tant  as  well,  Milford  says.  Among  those 
Milford  has  found  useful  are  controls 
that  enforce  least  privilege  rules, 
meaning  they  give  users  no  more  ac¬ 
cess  than  they  need.  She  also  likes 
tools  that  use  IP  restrictions  to  limit 


access  to  protected  information  and 
keep  logs  for  monitoring  unsuccessful 
application  access  attempts. 

In  addition,  Milford  advocates  the 
use  of  a  what  she  calls  a  “carrot-and- 
stick  policy”  to  induce  good  security 
practices.  The  stick  could  be  a  compre¬ 
hensive  policy  with  strong  enforce¬ 
ment,  she  says.  The  carrot  could  take 
the  form  of  incentives  for  completing 
security  training,  such  as  job  reclassifi¬ 
cation,  merit  raises,  bonuses  and  in¬ 
creased  opportunities  for  career  devel¬ 
opment,  Milford  says.  Empowering 
staffers  at  all  levels  of  the  organization 
to  learn  about  security  and  take  steps 
to  guard  organizational  resources  in 
their  power  is  also  key,  she  says. 

“Education,  empowerment  and  en¬ 
forcement  are  probably  the  most  criti¬ 
cal  ways  to  create  a  climate  of  security 
for  administrators  and  users,”  Milford 
says.  “Utilizing  and  reinforcing  the 
message  that  everyone  has  a  responsi¬ 
bility  for  information  security  is  im¬ 
portant.”  O  55809 
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CXIOM  CORP. 
processes  bil¬ 
lions  of  records 
every  month, 
culling  from 
sources  like  cus¬ 
tomer-prospect 
k  lists,  phone 
records  and  retail  store  sales  to  gener¬ 
ate  usable  consumer  data  for  its  busi¬ 
ness  clients. 

The  high  volume  was  impressive,  but 
company  officials  wanted  to  process 
even  more  —  quicker  and  cheaper,  too. 

“We  decided  there  had  to  be  a  better 


Case  Study:  Acxiom  Corp. 
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Talley  says  he  spread  applications 
over  multiple  machines  “instead  of  us¬ 
ing  one  big  machine.  We  were  much 
faster,  and  the  incremental  cost  to  do 
one  record  was  significantly  lower 
than  our  previous  implementation.” 

The  team  of  eight  to  10  tech  workers 
worked  on  and  demonstrated  the  grid 
computer  project  to  CEO  Charles  D. 
Morgan  in  the  summer  of  2001. 

“He  said,  ‘This  is  great.  Go  do  it  to  all 
of  the  Acxiom  products,’  ”  Talley  recalls. 

Acxiom’s  use  of  grid  technology 

makes  the  company  a  leader  in 
this  area,  says  Ahmar  Abbas, 
an  analyst  at  Grid  Technology 
Partners  in  South  Hadley, 
Mass.,  and  author  of  Grid 
Computing:  A  Practical  Guide 
to  Technology  and  Applications 
(Delmar  Thomson  Learning, 
2003).  As  for  the  technology’s 
impact  on  Acxiom’s  perfor¬ 
mance,  he  says,  anything 
workers  can  do  to  make 
processes  run  better,  cheaper 
and  faster  “is  going  to  have  a 
direct  impact  on  the  services  they  offer 
and  the  money  they  can  generate.” 

John  Ripa,  group  leader  for  Acxiom 
data  products,  says  the  impact  of  the 
new  technology  is  significant. 

He  points  to  one  of  the  company’s 
products,  InfoBase  Enhancement,  as 
a  prime  example.  A  client  —  a  cell 
phone  company,  for  example  —  might 
ask  for  consumer  information  to  target 
new  customers  or  to  cross-sell  to  exist¬ 
ing  ones.  The  client  sends  Acxiom  mil¬ 
lions  of  its  own  records,  which  Acxiom 
then  processes  against  its  database  of 
consumer  information  to  produce  the 
detailed  consumer  files  the  cell  phone 
company  wants. 

Working  with  the  CII  grid  computing 
technology,  Acxiom  improved  the 
speed  of  its  build  process  by  83%,  Ripa 
says.  It  increased  the  speed  at  which  it 
delivers  these  files  to  clients  by  77%. 
“And  the  reliability  improved  dramati¬ 
cally.  We’re  as  close  as  we  can  get  to 
zero  downtime,”  he  adds.  Equally  im¬ 
pressive  is  an  86%  reduction  in  hard¬ 
ware  costs,  Ripa  says,  comparing  costs 
prior  to  and  after  implementation. 

“This  gives  our  clients  the  ability  to 
do  things  rapidly  that  could  never  be 
considered  before,”  Ripa  says,  adding 
that  companies  are  willing  to  pay  a 
premium  for  that  speed. 

Talley  says  the  biggest  challenge  for 
Acxiom  was  “dealing  with  the  psycho¬ 
logical  impact.  People  are  comfortable 
with  paradigms  that  are  old  and  famil¬ 
iar.”  The  changes  required  workers 
“to  rethink  existing  processes  and  soft¬ 
ware.”  Acxiom  also  had  to  manage  a 


tions  infrastructure  organization. 

Acxiom  had  managed  most  data 
using  IBM  mainframes  running  MVS 
until  1995,  when  it  moved  its  internal 
processes  and  clients’  applications  to 
symmetrical  multiprocessing  platforms. 
Although  SMP  technology  was  more 
powerful  and  cost-effective,  Acxiom 
still  spent  more  than  $150  million  an¬ 
nually  for  capital  equipment  to  main¬ 
tain  its  capability. 

But  Acxiom  staffers  were  already  at 
work  developing  a  high-performance 
application  called  AbiliTec  to 
link  and  clean  information  on 
individual  consumers  gleaned 
from  multiple  data  sources. 

Acxiom  matches  every  name 
and  address  it  receives  from 
clients  against  its  in-house 
AbiliTec  reference  base 
of  20  billion  records.  More 
than  40  billion  records  are 
linked  each  month. 


A  grid  project  slices  delivery  times  for  records  data 
and  cuts  hardware  costs  by  o6°/o.  By  Mary  K.  Pratt 
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way,”  says  Charles  C.  Howland,  grid  in¬ 
frastructure  group  leader. 

So  tech  workers  developed  the  Cus¬ 
tomer  Information  Infrastructure  (CII), 
wiimer  of  a  2005  Computerworld  Hon¬ 
ors  award.  This  grid  environment  allows 
Acxiom  to  handle  a  higher  data  volume 
faster  and  with  less-costly  equipment. 

Consider,  for  example,  that  it  often 
took  more  than  three  months  to  update 
Acxiom’s  InfoBase  database;  on  the 
grid,  it  takes  three  days.  “We  would  not 
be  able  to  run  our  business  the  way  we 
do  today  without  this  capability,”  says 
Alex  Dietz,  leader  of  the  Acxiom  solu- 


The  application  worked 
well,  but  Acxiom  needed  20 
environments  with  Unix  SMP 
supporting  AbiliTec  to  handle  the  pro¬ 
cessing  load.  It  was  expensive  and  still 
not  fast  enough,  says  Terry  Talley,  a  se¬ 
nior  technical  adviser  based  in  Conway, 
Ark. 

Payback  Potential 

So  in  2000,  a  research  team  set  out  to 
find  a  better  way,  pinning  its  hopes  on 
grid  technology.  Dietz  credits  Talley 
with  the  plan:  “He  came  to  us  with  the 
idea  of  wiring  together  a  bunch  of  PCs, 
and  he  proved  it  would  work.” 
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ACXIOM  Ai  A  tANCE 

The  $1.2  billion  Little  Rock, 
Ark. -based  company  has  more  than 
6.000  employees,  and  1,850  are  IT  workers. 

Acxiom  collects  and  main¬ 
tains  consumer  data  from 
nearly  every  household  in  the 
U.S.,  which  it  offers  to  clients  that  need  ad¬ 
dresses,  phone  numbers  and  demographic  data 
for  their  direct-mail  and  telemarketing  efforts. 

Champions  of  the  grid  com¬ 
puting  project:  CEO  Charles  D.  Morgan: 
Alex  Dietz,  leader  of  the  Acxiom  solutions  infra¬ 
structure  organization;  senior  technical  adviser 
Terry  Talley:  and  development  leaders  Charles 
C.  Howland,  Chad  Fitz  and  Chris  Bennett. 

Project  payback:  Company  officials 
wouldn't  provide  specific  ROI  figures  but  said 
the  move  to  Cll  and  the  underlying  grid  allowed 
them  to  handle  22.5%  more  processing  with 
the  same  number  of  workers. 


large  number  of  computers  over 
the  long  term. 

“We  have  built  a  lot  of  software  to 
address  this  challenge,”  Talley  says. 

“It’s  relatively  easy  to  get  a  bunch 
of  machines  up  and  miming  for  the  first 
time.  It’s  much  more  difficult  to  add  to, 
replace  and  update  those  machines 
over  time,  and  the  problem  is  magni¬ 
fied  if  you  have  thousands  of  nodes.” 

Lessons  Learned 

Without  a  road  map  to  guide  them, 
Acxiom’s  IT  workers  had  to  rely  on 
their  own  internal  resources  to  com¬ 
pensate  for  a  lack  of  commercial  prod¬ 
ucts.  As  a  result,  they  built  their  own 
resource  scheduler,  grid  control,  main¬ 
tenance  interfaces,  software  distribu¬ 
tion  functions  and  grid-enabled  data 
management  functions. 

Open-source  software  was  used 
when  available;  when  it  wasn’t,  the  IT 
staff  wrote  components.  Acxiom  offi¬ 
cials  also  tapped  experts  who  were  de¬ 
veloping  general-purpose  grid  prod¬ 


ucts  at  other  companies  to  confirm 
that  they  were  on  the  right  path. 

The  rewards  overshadow  many  of 
the  challenges.  Talley  points  to  a  de¬ 
mographic  enhancement  product  that 
took  nearly  30  days  to  run  on  a  large 
Unix  computer;  it  takes  less  than  one 
day  on  the  grid  version. 

“Our  grid  is  all  about  performance. 
It’s  about  being  able  to  do  things  you 
couldn’t  do  before,”  Talley  says. 

In  2003,  Acxiom  announced  that  it 
would  host  client  data  and  run  client 
processes  in  the  grid  environment,  too 
—  a  strategy  that  evolved  into  the  ar¬ 
chitecture  known  as  CII. 

CII  product  leader  Ken  Archer  says 
the  speed,  flexibility  and  scalability  of 
the  grid  is  key  to  meeting  clients’  needs. 

“A  large  part  of  our  customer  base  is 
financial  services,  specifically  around 
customer  marketing  and  customer  ac¬ 
quisition.  And  if  they  can  get  the  data 
quicker,  they  can  get  offers  out  faster 
to  make  those  decisions,”  he  says. 

Acxiom  now  has  more  than  4,000 


rack-mounted,  two-processor  nodes  in 
its  data  centers  that  are  dedicated  to 
the  grid.  Each  node  is  a  PC-based 
server  running  Linux. 

Officials  won’t  disclose  how  much 
the  company  has  invested  in  its  grid 
computing  project,  although  they 
indicate  its  value  is  well  worth  the 
cost.  They  cite  the  case  of  one  large 
credit  card  issuer,  which  had  a  file 
of  250  million  customer  records 
processed  and  scored  in  parallel 
using  both  the  CII  environment  and 
mainframe;  the  time  to  completion 
with  CII  was  15  hours  versus  more 
than  150  hours  on  the  mainframe. 

Dietz  says  Acxiom  is  still  migrating  to 
grid  computing,  so  about  half  of  its  work 
still  flows  through  legacy  environ¬ 
ments.  Says  Talley,  “'We’ll  have  a  con¬ 
stant  evolution  in  both  size  and  func¬ 
tion  over  the  next  few  years.”  O  55876 


Pratt  is  a  Computerworld  contributing 
writer  in  Waltham,  Mass.  Contact  her  at 
marykpratt@verizon.  net. 
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lEFINITION 

Markup  languages  use  sets  of  embedded  tags  or  labels 
to  characterize  text  elements  within  a  document  so 
as  to  indicate  their  appearance,  function,  meaning  or 
context.  Originally  used  for  production  within  the 
publishing  industry,  markup  languages  have  prolifer¬ 
ated  since  the  widespread  adoption  of  XML. 


BY  RUSSELL  KAY 

N  1969,  three  IBM  research¬ 
ers  created  GML,  a  format¬ 
ting  language  for  document 
publishing.  Understood  to 
mean  Generalized  Markup 
Language,  the  letters  also  hap¬ 
pened  to  be  the  initials  of  its 
creators:  Charles  Goldfarb, 
Edward  Mosher  and  Raymond 
Lorie. 

GML  allowed  text  editing 
and  formatting,  and  it  enabled 
information-retrieval  subsys¬ 
tems  to  share  documents. 
Instead  of  a  simple  tagging 
scheme,  however,  GML  intro¬ 
duced  the  concept  of  a 
formally  defined  docu¬ 
ment  type  containing 
an  explicit  hierarchy  of 
structured  elements. 

Major  portions  of 
GML  were  implement¬ 
ed  in  mainframe  publishing 
systems,  and  the  language 
achieved  substantial  industry 
acceptance.  IBM  adopted 
GML  and  produces  over  90% 
of  its  documents  with  it. 

GML  was  expanded  with 
additional  concepts,  such  as 
short  references,  link  process¬ 
es  and  concurrent  document 
types,  into  Standard  General¬ 
ized  Markup  Language.  SGML 
made  inroads  in  the  publish¬ 
ing  world,  especially  at  the 
U.S.  Government  Printing 
Office,  and  it  became  an  inter¬ 


national  standard  in  1986. 

Still,  SGML  was  largely  un¬ 
known  until  1990,  when  Tim 
Berners-Lee,  inventor  of  the 
World  Wide  Web,  created  Hy¬ 
pertext  Markup  Language  as  a 
subset  of  SGML.  Soon,  every 
type  of  document  and  data 
was  being  littered  with  tags 
at  the  beginning  and  end 
of  text  elements  like  this: 
<tag>and</tag>.  Then  Exten¬ 
sible  Markup  Language  (XML) 
came  along  in  the  late  1990s, 
and  the  IT  world  hasn’t  been 
the  same  since. 

In  fact,  it  seems  that  hardly 
a  day  goes  by  without  a 
new  markup  language 
being  announced  or 
described.  Indeed, 
Computerworld  has 
published  separate 
QuickStudies  on  10 
markup  languages,  and  that 
just  scratches  the  surface.  A 
Google  search  on  “markup 
language”  returns  more  than 
6  million  pages. 

Thus  we  present  this  short¬ 
hand  guide  to  current  markup 
languages.  It  certainly  doesn’t 
cover  them  all,  but  it  does  give 
an  idea  of  the  flexibility  and 
power  of  the  concept  and  how  it 
is  being  used.  Most  are  simple 
extensions  of  XML  or  document 
type  definitions  specialized  for 
a  particular  area  of  interest, 
but  some  are  quite  complex. 


The  Languages 

■  Business  Process  Execution 
Language:  BPEL  is  designed  to 
run  a  series  of  Web-based 
transactions  and/or  character¬ 
ize  interfaces  that  are  needed 
to  complete  Web-based  trans¬ 
actions.  It’s  used  for  modeling 
business  processes,  with  spec¬ 
ifications  for  transactions  and 
compensating  transactions, 
data  flow,  messages  and 
scheduled  events,  business 
rules,  security  roles,  and  ex¬ 
ceptions.  QuickLink  54724 

■  Ceii  Markup  Language: 
CellML  stores  and  exchanges 


computer-based  mathematical 
models,  allowing  scientists  to 
share  models  even  if  they  use 
different  model-building  soft¬ 
ware.  It  also  enables  them  to 
reuse  components  from  one 
model  in  another,  thus  acceler¬ 
ating  model  building.  CellML 
includes  mathematics  and 
metadata  by  leveraging  existing 
languages,  including  MathML. 
www.cellml.org 

■  Chemical  Markup  Language: 
CML  is  a  new  approach  to 
managing  molecular  informa¬ 
tion  that  uses  recently  devel¬ 
oped  Internet  tools  such  as 
XML  and  Java.  Based  strictly  on 
SGML,  it’s  capable  of  holding 
extremely  complex  information 
structures  and  can  therefore 
act  as  an  interchange  mecha¬ 
nism  or  an  archiving  tool.  It 
interfaces  easily  with  modern 
database  architectures,  such 
as  relational  or  object-orient¬ 
ed.  Most  important,  a  large 
amount  of  generic  XML  soft¬ 
ware  to  process  and  transform 
it  is  already  available  from  the 
community,  www.xml-cml.org 

■  DARPA  Agent  Markup  Langu¬ 
age:  XML  has  a  limited  ability 
to  describe  the  relationships 
between  objects.  DAML  ex¬ 
tends  XML  by  using  ontologies 
—  explicit  formal  specifica¬ 
tions  of  how  to  represent  the 
objects,  concepts  and  other  en¬ 
tities  in  a  particular  area  of  in¬ 
terest,  along  with  the  relation¬ 
ships  among  them. 
www.daml.org/about.html 

■  Dynamic  Markup  Language: 


DML  is  an  XML-based  lan¬ 
guage  designed  specifically 
for  object-based  graphics  con¬ 
struction  and  the  development 
of  user  interfaces.  Similar  to 
HTML,  it  includes  extensions 
that  support  calculations,  ar¬ 
gument-passing  and  variable 
storage,  www.rocklyte.com/dml 

■  Directory  Services  Markup 
Language:  DSML  defines  the 
data  content  and  structure  of  a 
directory  and  maintains  it  on 
distributed  directories.  DSML 
gives  developers  a  simple  and 
convenient  way  to  implement 
XML-based  applications  on 
the  Internet.  Such  support  is 
crucial  to  e-coimnerce  appli¬ 
cations.  QuickLink  a6820 

■  Financial  Products  Markup 
Language:  FPML  is  a  business 
information  exchange  stan¬ 
dard  for  electronic  trading  and 
processing  of  financial  deriva¬ 
tives  instruments.  It  establish¬ 
es  a  protocol  for  sharing  infor¬ 
mation  on  and  dealing  in  de¬ 
rivatives  and  structured  prod¬ 
ucts.  www.fpml.org/index.html 

■  Hypertext  Markup  Language: 
The  backbone  of  the  Web, 
HTML  is  based  on  a  dialect  of 
GML  that  was  previously  used 
at  CERN.  Its  primary  innova¬ 
tion  was  to  allow  simple  hyper¬ 
text  links  from  one  document 
to  another,  www.w3.org/ 

Markup 

■  Human  Markup  Language: 

HML  is  part  of  an  effort  to  pro¬ 
vide  a  framework  for  the  over¬ 
all  human  communication 
process,  including  areas  and 


The  Nonmarkup  MLs 


Not  every  language  or  acronym  ending  in  “ML” 
represents  a  markup  language.  Here  are  the 
best-known  exceptions. 

■  ML  “ML”  originally  stood  for  “metalanguage,”  but 
!  it’s  a  general-purpose  programming  language  designed 
I  for  large  projects.  There  are  two  main  dialects  in  use  to- 
I  day:  Standard  ML  (SML;  see  www.dcs.ed.ac.uk/home/ 

I  stg/NOTES),  a  mathematically  defined  version  of  the  lan- 
I  guage  formulated  in  part  by  some  of  the  original  lan- 
!  guage  developers;  and  Objective  CamI  (OCaml;  see 
j  http://caml.inria.frA.  an  offshoot  version  from  the  original 
ML  to  which  features  are  added  at  will  without  being  de¬ 
fined  in  a  standard.  Other  related  languages  include 
Extended  ML  (EML;  see  http://homepages.lnf.ed.ac.uk/ 

\  dts/emi)  and  Alice  HU.  {www.ps.unisb.de/aiice). 

I  ML  and  its  variants  are  purely  functional  languages 
I  and  don’t  allow  any  assignment  to  storage.  These  func- 
V _ 


tional  languages  are  difficult  to  program  in.  but  their  pro¬ 
grams  are  much  more  amenable  to  formal  analysis  and 
proofs  of  correctness. 

■  Unified  Modeling  Language:  UML  is  a  standard 
notation  for  modeling  real-world  objects  as  part  of  devel¬ 
oping  an  object-oriented  design  methodology.  UML  is 
used  for  modeling  application  structure,  behavior  and  ar¬ 
chitecture,  along  with  business  processes  and  data  struc¬ 
tures.  Vendors  of  many  computer-aided  software  engi¬ 
neering  products  support  the  language.  UML  was  devel¬ 
oped  from  methodologies  that  also  describe  the  process¬ 
es  in  developing  and  using  the  model,  {www.uml.org) 

■  YAML  Ain’t  Markup  Language:  YAML  is  an  inter¬ 
national  collaboration  to  make  a  data-serialization  lan¬ 
guage  that  is  both  readable  by  humans  and  computation¬ 
ally  powerful,  {www.yaml.org) 

-RusseiiKay 

_ J 


www.computerworld.com 


TECHNOLOGY 


COMPUTERWORLD  August  8, 2005 


concepts  such  as  thought, 
emotions,  behaviors,  kinesics, 
beliefs  and  facial  expressions, 
through  graphical  or  text- 
based  representation.  It  goes 
way  beyond  emoticons! 
www.humanmarkup.org 

■  Materials  Markup  Language: 
MatML  was  developed  for  the 
interchange  of  materials  infor¬ 
mation.  www.matml.org 

•  Multimedia  Retrieval  Markup 
Language:  MRML  unifies  ac¬ 
cess  to  multimedia  retrieval 
and  management  software 
components  to  extend  their 
capabilities,  www.mrml.net 

■  Physical  Markup  Language: 
PML  is  a  simple,  general  lan¬ 
guage  for  describing  physical 
objects  and  environments  for 
industrial,  commercial  and 
consumer  applications.  PML 
allows  modularity  and  flexibil¬ 
ity  so  it  can  be  used  in  moni¬ 
toring  and  controlling  a  physi¬ 


cal  environment.  Applications 
include  inventory  tracking,  au¬ 
tomatic  transactions,  supply 
chain  management,  machine 
control  and  object-to-object 
communication,  http://web.mit. 
edu/mecheng/pml/index.htm 

■  Security  Assertion  Markup 
Language:  SAML  is  an  XML- 
based  framework  for  commu¬ 
nicating  user  authentication, 
entitlement  and  attribute  in¬ 
formation.  It  allows  business¬ 
es  to  make  assertions  regard¬ 
ing  the  identity,  attributes  and 
entitlements  of  a  subject 
(often  a  human  user)  to  other 
entities,  such  as  a  partner  com¬ 
pany  or  another  enterprise  ap¬ 
plication.  www.oasis-open.org/ 
committees/security/faq.php 

■  Services  Provisioning  Markup 
Language:  SPM  is  a  framework 
for  exchanging  user,  resource 
and  service  provisioning  in¬ 
formation  between  applica¬ 


tions  and  organizations. 
QuickLink  41908 

■  Speech  Synthesis  Markup 
Language:  SSML  assists  in  the 
generation  of  synthetic  speech 
in  Web  software  and  other  ap¬ 
plications  by  providing  a  stan¬ 
dard  way  to  control  speech  as¬ 
pects  such  as  pronunciation, 
volume,  pitch  and  rate  across 
different  platforms. 
www.w3.org/TR/speech-synthesis 

■  User  Interface  Markup  Lan¬ 
guage:  UIML  permits  the  cre¬ 
ation  of  user  interfaces  for  any 
device,  target  language  and  op¬ 
erating  system  on  a  device.  It 
describes  three  things:  the  ap¬ 
pearance  of  a  UI,  user  interac¬ 
tion  with  the  UI  and  how  the 
UI  is  cormected  to  the  applica¬ 
tion  logic,  www.uiml.org 

■  Voice  Extensible  Markup  Lan¬ 
guage:  Voice-activated  applica¬ 
tions  are  increasingly  common, 
and  VoiceXML  specifies  com¬ 


mon  features  to  help  ensure 
portability  between  platforms. 
www.voicexml.org/ 

■  Wireless  Markup  Language: 
WML  describes  content  and 
formats  for  presenting  data  on 
limited-bandwidth  devices 
such  as  cellular  phones  and 
pagers.  Rather  than  attempt¬ 
ing  to  deliver  the  same  Web 
page  content  you  would  see 
on  a  PC,  WML  presents  main¬ 
ly  text-based  information  opti¬ 
mized  for  mobile  devices. 
QuickLink  a6800 

■  Extensible  Access  Control 
Markup  Language:  XACML  is  an 
XML-based  schema  that  was 
designed  for  creating  policies 
and  automating  their  use  to 
control  access  to  disparate  de¬ 
vices  and  applications  on  a 
network.  QuickLink  38180 

■  Extensible  Markup  Language: 
XML  was  created  to  combine 
the  extensibility  of  SGML  with 


the  simplicity  and  wide  sup¬ 
port  of  HTML.  Basically  a 
subset  of  SGML,  it’s  simpler 
and  easier  to  implement  and 
allows  most  of  SGML’s  capa¬ 
bilities.  XML  was  approved  as 
a  standard  by  the  World  Wide 
Web  Consortium  in  1998. 
QuickLink  a6790  O  55873 


Kay  is  a  Computerworld  con¬ 
tributing  writer  in  Worcester, 
Mass.  You  can  reach  him  at 
russkay@charter.net. 


MANY  MORE 

For  information  on  other  markup  languages, 
visit  our  Web  site: 

QuickLink  55772 
wvvw.computerworld.com 

Are  there  technologies  or  issues  you'd  iike 
to  learn  about  in  QuickStudy?  Send  your 
ideas  to  quickstudy@computerworld.com 

To  find  a  complete  archive  of  our 
QuickStudies,  go  online  to 

O  computerworld.com/quickstudies 
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Dealing^With  an  ISO 
Who’s  Only  So-So 

As  our  security  manager  realigns  the  work¬ 
load  for  her  team,  she  confronts  an  infor¬ 
mation  security  officer  who’s  weak  in  most 
technical  areas.  By  C.  J.  Kelly 


AVE  YOU  EVER  watched 
a  so-so  movie,  eaten  at 
a  so-so  restaurant  or 
attended  a  so-so  the¬ 
ater  production?  Such  activi¬ 
ties  are  time-fillers,  but  they 
don’t  really  add  much  to  your 
life.  I  have  a  very  hard  time 
with  nonproductive,  nonedify- 
ing  activities.  I  don’t  go  back 
to  so-so  restaurants,  and  I 
don’t  recommend  so- 
so  movies  or  plays.  If 
a  book  doesn’t  grab 
me,  I  don’t  finish  it. 

Life  is  short,  and  each 
thing  I  do  needs  to 
mean  something  and 
be  of  value. 

So,  what  happens  when  you 
manage  a  so-so  employee? 

I’m  not  one  to  just  ignore  the 
problem  or  give  the  employee 
tasks  of  no  great  importance 
just  to  keep  him  busy  and  out 
of  the  way.  All  work  should 
count  and  help  the  organiza¬ 
tion  reach  its  goals. 

My  problem  is  an  underper¬ 
forming  information  security 
officer  (ISO).  She  doesn’t  have 
a  technical  background,  and 
though  she  once  had  supervi¬ 
sory  responsibilities,  they 
were  taken  away  because  her 
direct  reports  were  complain¬ 
ing  bitterly  about  her  lack  of 
management  skills.  I’m  not 
sure  exactly  how  she  fell  into 
the  position  of  ISO,  but  I  think 
people  in  the  agency  we  work 
for  had  been  wondering  what 
to  do  with  her  just  when  the 
legislative  requirements  of 
the  Health  Insurance  Portabil¬ 
ity  and  Accountability  Act  se¬ 
curity  rule  went  into  effect 
and  it  became  necessary  to 
assign  someone  ISO  duties. 

As  happened  within  many 
organizations  that  were  consid¬ 


ered  “covered  entities”  imder 
HIPAA,  my  agency  acted  with¬ 
out  fuUy  understanding  the  du¬ 
ties  of  an  ISO.  I’ll  get  to  the  ba¬ 
sic  misimderstanding  behind 
this  common  mistake  later. 

I  am  now  realigning  the 
workload  among  my  staff 
members,  and  as  part  of  this 
task,  I  must  take  a  hard  look 
at  the  ISO  position  and  make 
a  decision  about 
who  should  have 
that  responsibility. 

The  current  ISO 
isn’t  performing,  pri¬ 
marily  because  she 
lacks  experience  and 
education  in  the  se¬ 
curity  field.  I  have  tried  for  half 
a  year  to  mentor  her,  offering 
educational  materials  and 
pointing  her  toward  webcasts, 
seminars  and  security  white 
papers.  It’s  like  trying  to  teach 
a  foreign  language  to  someone 
who  doesn’t  have  a  solid  grasp 
of  her  native  tongue.  Her  in¬ 
ability  to  grasp  the  material  is 
apparently  due  to  a  dearth  of 
foundational  knowledge  re¬ 
garding  networked  computing 
basics  (TCP/IP,  client/server 
architecture,  LAN/WAN 
topologies). 

The  rate  of  change  in  net¬ 
working  technologies  is  chal¬ 
lenging  to  keep  up  with,  even 
if  you  do  know  the  basics.  For 
this  ISO,  it’s  impossible. 


I  had  hoped  that  she 
would  offer  to  help  the 
team.  She  did  not. 


I  told  the  ISO  that  several 
other  staff  members  were 
sorely  overloaded  but  that  we 
had  just  expanded  the  staff  by 
one  employee  and  it  was  an 
opportune  time  to  take  a  look 
at  job  responsibilities  across 
the  team.  As  I  looked  at  what 
needed  to  be  done  by  the  team, 
I  had  categorized  a  host  of 
tasks  as  “adminisdribble”  — 
administrative  tasks  that 
shouldn’t  be  on  the  desks  of 
senior  IT  and  security  staffers. 
Half  of  those  tasks  were  sit¬ 
ting  on  the  ISO’s  desk.  I  ex¬ 
plained  that  I  would  be  taking 
them  off  her  desk  and  re-eval- 
uating  each  of  the  processes 
to  see  if  they  could  be  stream¬ 
lined,  integrated  and  automat¬ 
ed.  She  became  more  and  more 
uncomfortable  as  I  spoke. 

New  Classification 

I  listed  for  her  all  the  job 
responsibilities  for  the  entire 
team  and  pointed  out  where 
some  members  were  over¬ 
loaded.  I  had  hoped  that  she 
would  offer  to  help  the  team. 
She  did  not.  Instead,  she 
became  defensive  and  agitat¬ 
ed  and  noted  that  another 
government  agency  was  creat¬ 
ing  a  new  security  classifica¬ 
tion.  She  wanted  to  “wait  for 
that  opportunity”  —  a  new 
classification. 

I  took  another  tack.  I  used 
the  whiteboard  to  list  the  du¬ 
ties  I  thought  an  ISO  or  senior 
security  person  should  be  re¬ 
sponsible  for  in  regards  to  ar¬ 
chitecture  and  administration. 
Those  included  policies  and 
procedures;  intrusion  detec¬ 
tion;  firewalls;  VPNs;  anti¬ 
virus,  antispam  and  antispy¬ 
ware  efforts;  patch  manage¬ 
ment;  vulnerability  scanning; 
risk  assessment;  and  disaster 
recovery. 

She  blurted  out,  “But  those 
are  all  technical  in  nature!” 

“Yes,  they  are,”  I  responded, 
“and  if  I  were  going  to  hire  a 


security  person,  these  would 
be  his  or  her  duties.” 

We  were  at  an  impasse  cre¬ 
ated  by  that  long-ago  misun¬ 
derstanding  about  the  nature 
of  the  ISO  position.  When  the 
HIPAA  security  rule  went 
into  effect,  covered  entities 
such  as  my  agency  were  re¬ 
quired  to  designate  someone 
to  handle  ISO  responsibilities. 
Many  covered  entities  noticed 
that  roughly  80%  of  the  poli¬ 
cies  and  plans  required  by 
the  HIPAA  security  rule  are 
categorized  as  “administra¬ 
tive,”  only  5%  or  so  are  cate¬ 
gorized  as  “technical,”  and 
the  rest  are  categorized  as 
“physical.” 

Here’s  the  misunderstand¬ 
ing:  Even  though  the  bulk  of 
the  policies  are  deemed  ad¬ 
ministrative,  implementing 
the  policies  is  primarily  a 
technical  exercise.  I  believe  — 
and  many  may  argue  with  me 
—  that  writing  a  good  policy 
requires  a  solid  understanding 
of  what  technologies  are  avail¬ 
able  to  implement  the  plan. 
You  need  some  technical 
knowledge  to  be  able  to  visu¬ 
alize  the  plan.  You  can’t  say, 
“Thou  shalt  do  thus”  and  not 
be  able  to  “do  thus.” 

The  ISO’s  response  to  the 
situation  was  painful  for  both 
of  us  because  we  both  knew 
that  she  viewed  her  position 
as  highly  valuable  to  her.  But 
as  long  as  the  agency’s  ISO 
lacked  the  technical  founda¬ 
tion  to  be  able  to  write  imple¬ 
mentation  plans  and  execute 
them,  the  value  to  the  organi¬ 
zation  was  not  there.  She  was 
very  good  at  adminisdribble, 
but  we  already  have  an  admin¬ 
istrative  assistant  for  those 
tasks. 

In  dismay,  she  asked  if  I 
would  rewrite  her  job  descrip¬ 
tion  and  let  her  know  what  I 
wanted  her  to  do  in  aligmnent 
with  the  agency’s  needs.  Our 
next  meeting  is  in  two  days.  I 

WHAT  DO  YOU  THINK? 

This  week’s  journal  is  written  by  a  real 
security  manager,  “C.J.  Kelly,”  whose 
name  and  employer  have  been  disguised 
for  obvious  reasons.  Contact  her  at 
mscjkelly@yahoo.com,  or  join  the  dis¬ 
cussion  in  our  forum;  QuickUnkalSgO 
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Microsoft  to  Host 
Hackers  Regularly 


Microsoft  Corp.  is  working  on 
plans  to  make  a  recent  hacker 
meeting  held  on  its  campus  a 
twice-yearly  event,  according 
to  a  spokesman  for  the  ven¬ 
dor’s  security  group.  The  com¬ 
pany  plans  to  host  another 
Blue  Hat  security  event  this 
fall,  in  sessions  at  the  initial 
Blue  Hat  event,  security  re¬ 
searchers  demonstrated  to 
Microsoft  executhres  and 
developers  how  flaws  in  the 
vendor’s  products  could  be 
exploited. 

Securing  Data 
With  Fingerprints 

Atmei  Corp.  and  Bionopoly 
LLC’s  FingerGear  division  in¬ 
troduced  the  Bio  USB  Rash 
Drive.  The  flash-based  thumb- 
drive  storage  device  uses  fin¬ 
gerprint  recognition  technol¬ 
ogy  to  secure  data.  It  connects 
to  the  computer  using  USB 
2.0.  The  Bio  USB  Rash  Drive 
is  available  Initially  with  a 
256MB  capacity  for  $149. 


Netsky.MytobTop 
Viruses  in  July 


Sophos  PLC  reported  that  the 
most  widespread  virus  that 
caused  problems  for  busi¬ 
nesses  around  the  world  last 
month  was  Netsky-P,  a  worm 
written  by  recently  convicted 
German  teenager  Sven 
Uaschan.  However,  variants  of 
the  Mytob  worm  dominated  tSie 
polb,  accounting  for  seven  of 
the  top  10  positions  and  more 
than  37%  of  ail  viruses  report¬ 
ed  to  Sophos  during  the  month. 
-  aH  o  ■ 

Spam  Prevention 

Engate  Technology  Corp.  an¬ 
nounced  Engate  I^ISentinel, 
which  uses  patent-pending 
technology  to  prevent  unwant¬ 
ed  or  malicious  e-mail  from 
leaving  the  source.  Rather 
than  analyzing  the  content  of  a 
message  to  determine  its  iei^- 
imacy,  MailSentinel  analyzes 
the  actual  SMTP  session  to  de¬ 
tect  the  tricks  used  by  spam¬ 
mers  to  hide  their  identities. 
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Find  the  tools  and  guidance  yoii 
at  microsoft.com/security/IT 


Microsoft  Windows  XP  Service  Pack  2:  Download  it  for 
free  and  get  stronger  system  control  and  proactive  protection 
against  security  threats. 

Free  Tools  &  Updates:  Download  free  software  like  Microsoft 
Baseline  Security  Analyzer  to  verify  that  your  systems  are 
configured  to  maximize  security.  Manage  software  updates 
easily  with  Windows  Server  Update  Services. 


need  for  a  well-guarded  network 


«•  Microsoft  Risk  Assessment  Tool:  Complete  this  free,  Web^t^l^^^:;.-  ^ 
self-assessment  to  help  you  evaluate  your  orgawzatsotVis&isa^S^^^^’f^^ 
practices  and  identify  areas  for  improvement. 

►  Internet  Security  and  Acceleration  Server 
the  free  120-day  trial  version  to  evaluate  hovv  tlTie^dvanced'./^^j;;!%; 
application-layer  firewall,  VPN,  and  Web  cache  solution  cart&y!^% 
improve  network  security  and  performance. 
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Japan  Aims  to 
Be  Tops  in  FLOPS 


■  OFFICIALS  IN  JAPAN  have  announced  that 
the  country  intends  to  build  a  supercomputer 
that  will  be  73  times  faster  than  today's  top 
computer. 

The  current  champ.  IBM’s  Blue  Gene,  can 
handle  136.8  trillion  floating-point  operations 
per  second,  or  TFLOPS.  The  Japanese  educa¬ 
tion  and  science  ministry  plans  to  develop  a 
machine  that  could  operate  at  10  PFLOPS,  or 
10  quadrillion  calculations  per  second.  It’s  tar¬ 
geted  to  be  up  and  running  by  March  2011. 

So,  what  will  this  gorilla  of  a  computer  do? 
Obviously  no  machine  for  small  tasks,  it  will  be 
used  to  model  the  formation  of  the  galaxy, 
track  climate  changes  and  simulate  human  re¬ 
actions  to  new  drugs.  In  general,  supercomput¬ 


ers  are  used  for  scientific  calculations  that 
would  be  impossible  on  any  but  the  blindingly 
fast  number  crunchers. 

Japan’s  Earth  Simulator  had  been  at  the  top 
of  the  supercomputer  heap  until  it  was  dis¬ 
placed  by  Blue  Gene  in  2004.  At  present,  the 
three  fastest  machines  in  the  world  were  all  de¬ 
veloped  in  the  U.S.  Observers  of  the  technol¬ 
ogy  market  noted  that  Japan’s  latest  project 
has  been  triggered  both  by  the  desire  to  com¬ 
pete  with  Western  nations  and  to  hold  off 
China,  its  rising  regional  technology  rival. 

Japan  has  budgeted  $900  million  to  devel¬ 
op  the  10  PFLOPS  computer. 
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What  a 
Coincidence 

Walther  Bothe,  a  German 
physicist,  mathematician  and  chemist, 
developed  his  “coincidence  circuit,” 
considered  the  first  AND  logic  gate.  It 
was  developed  to  detect  cosmic  ray 
events  and  high-energy  particles.  The 
techniques  influenced  several  fields  of 
technology,  such  as  the  design  of 
radar  circuits  in  the  1940s. 

The  main  idea  of  coincidence  detec¬ 
tion  is  that  if  a  detector  identifies 
some  particle  (called  “clicks”),  this  is 
quite  likely  (with  a  certain  probability 
p)  not  a  real  event  but  thermal  or  oth¬ 
er  noise.  But  if  two  detectors  click 


DIFFERENCE  ENGINES 

simultaneously,  the  probability  that 
it’s  still  a  noise  event  is  extremely  re¬ 
duced.  This  technique  therefore  great¬ 
ly  improves  signal-to-noise  ratio. 

The  coincidence  circuit  must  be  able 
to  differentiate  between  two  signals 
that  come  at  the  same  time  from  those 
that  are  more  than  a  few  microsec¬ 
onds  apart.  Designing  such  electronics 


...... ^  . 

Walther  Bothe  developed  the  AND  logic  gate. 


I  was  a  major  achievement  at  Bothe’s 
i  time  and  earned  him  a  share  of  the 
'  1954  Nobel  Prize  in  physics. 

As  the  first  AND  logic  gate,  the  co¬ 
incidence  circuit  represents  one  of  the 
:  most  basic  building  blocks  of  digital 
;  circuits. 

Most  logic  gates  have  two  inputs 
;  and  one  output.  At  any  given  moment, 

I  every  terminal  is  in  one  of  the  two  bi- 
I  nary  conditions,  low  (0)  or  high  (1), 
i  represented  by  different  voltage  levels. 
;  The  logic  state  of  a  terminal  can  and 
’  generally  does  change  often  as  the  cir- 
.  cuit  processes  data. 

The  AND  gate  is  so  named  because 
it  acts  in  the  same  way  as  the  logical 
“and”  operator.  The  output  is  “true” 
when  both  inputs  are  true.  Otherwise, 
the  output  is  false.  O  55921 


GROVES  OF  ACADEMIA 


Augmented  Reality  for 
Poultry  Trimmers 

■  TECHNOLOGY  that  displays  com¬ 
puter-generated  information  on  the 
physical  world  is  being  tested  in  poul¬ 
try  plants  to  improve  communication 
between  computers  and  workers. 

Using  augmented  reality  (AR)  tech¬ 
nology,  researchers  at  the  Georgia 
Tech  Research  Institute  (GTRI)  have 
designed  two  systems  that  project 
graphical  instructions  from  an  auto¬ 
mated  inspection  system  onto  birds  on 
a  processing  line.  These  symbols  tell 
workers  how  to  trim  or  whether  they 
should  discard  defective  products. 
Right  now,  inspection  is  done  visually 
by  human  screeners,  who  communi¬ 
cate  with  trimmers  using  hand  ges¬ 
tures.  But  an  automated  system  devel¬ 
oped  and  field-tested  by  the  GTRI  is 
being  commercialized,  and  poultry 
plants  are  likely  to  implement  the  tech¬ 
nology  soon,  according  to  J.  Craig 
Wyvill,  head  of  the  GTRI  Food  Technol¬ 
ogy  Processing  division. 

Two  AR  systems  developed  by  pro¬ 
fessor  Blair  MacIntyre  and  colleagues 
Parth  Bhawalkar,  a  graduate  student, 
and  Simeon  Harbert,  a  GTRI  research 
engineer,  address  these  commercial 
requirements. 

The  first  uses  a  location-tracked, 
see-through,  head-mounted  display.  It 
overlays  graphical  instmctions  on  a 
trimmer’s  view  of  the  birds.  The  sec¬ 
ond  uses  a  laser  scanner,  mounted  in 
a  fixed  location  near  the  processing 
line,  to  project  instructions  onto  each 
bird  that  requires  an  action,  such  as 
trimming.  In  this  approach,  the  product 
rather  than  the  user  must  be  tracked. 
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Scalix  Offers  App 
For  PIM  Choice 

■  Scalix  Corp.  announced  its  new 
Scalix  Wireless  Solution,  which 
lets  users  choose  the  wireless 
service  carriers  and  devices  they 
use  to  send  and  receive  e-mail, 
maintain  contacts  and  calendars, 
and  manage  personal  information 
management  functions.  The  ap¬ 
plication  supports  ali  BlackBerry 
and  Palm  OS  devices,  inciuding 
the  Treo,  along  with  a  variety  of 
Windows  Mobile  devices  such  as 
the  HP  iPaq  and  smart  phones 
from  Samsung  Corp.  and  Motoro¬ 
la  Inc.,  according  to  Scalix.  The 
software,  which  starts  at  a  one¬ 
time  server  list  price  of  $1,000 
and  a  monthiy  per-user  fee  of  $10 
for  100  users,  supports  ail  major 
wireless  services. 


Troux  Updates 
Modeling  Tool 

■  Troux  Technologies  Inc.  has 
begun  shipping  Metis  Enterprise 
5.0,  a  visual  modeling  tool  for 
managing  enterprise  architec¬ 
tures.  The  system,  which  Troux 
acquired  when  it  purchased  Nor¬ 
way-based  Computes  Technoiogy 
AS  earlier  this  year,  can  help  cen¬ 
tralize  the  management  of  IT  gov¬ 
ernance  processes,  said  Troux. 
Customers  can  choose  desktop, 
workgroup  or  enterprise  prod¬ 
ucts.  Pricing  varies  based  on  cus¬ 
tomer  needs  and  customization. 


Electric  Mail  Offers 
Updated  Service 

n  Electric  Mail,  a  provider  of 
managed  secure  e-mail  services, 
has  announced  an  enhanced 
version  of  its  PerimeterProtect 
service,  which  provides  spam  and 
content  fiitering  and  virus  block¬ 
ing  for  business  e-mail  systems. 
The  new  version  includes  im¬ 
proved  message  quarantining  and 
tighter  integration  with  Microsoft 
Exchange  Server  2003  and  Ex¬ 
change  Server  2000,  according 
to  the  company,  which  is  a  wholly 
owned  subsidiary  of  |2  Global 
Communications  Inc.  Pricing 
starts  at  $2  per  user  per  month. 


CURT  A.  MONASH 


Time  for  a  New  View 
Of  Data  Management 


ATABASE  MANAGEMENT  is  in  a  crisis, 
one  that’s  only  partly  recognized.  The 
horrors  of  data  integration  may  be  well 
known,  but  they’re  only  the  tip  of  a  much 
larger  iceberg:  schema  complexity.  Pro¬ 


grammers,  system  architects, 
and  database  administrators 
focusing  on  design  and  oper¬ 
ation  alike  —  all  their  jobs 
are  made  immeasurably 
harder  by  the  boggling  com¬ 
plexity  of  relational  schemas. 

As  schema  diversity  ex¬ 
plodes,  the  pure  relational 
model  is  collapsing  under  its 
own  weight.  We  must  replace 
it  with  a  radically  different 
view  of  data  management, 
which  I’m  calling  DBMS2,  for 
database  management  system 
services.  The  key  aspects  of 
DBMS2  include  the  following: 

■  Task-appropriate  data  managers.  Just  use 
whatever  is  cheapest  and  simplest  for 
each  set  of  appUcations.  Possible  choices 
include  but  are  not  limited  to  cheap  on¬ 
line  transaction  processing  DBMSs,  high- 
end  OLTP  DBMSs,  data  warehouse  ap¬ 
pliances,  XML-based  document  stores, 
highly  distributed  and/or  small-footprint 
DBMSs,  in-memory  systems  without  their 
own  persistent  storage,  or  cross-corpus 
indexers  without  their  own  storage. 

■  Drastic  limitations  on  relational  schema 
complexity.  Relational  schemas  shouldn’t 
go  far  beyond  two  simple  models:  master- 
detail  for  transactions,  and  hypercubes/ 
star  schemas  for  analytics.  Anything  in¬ 
herently  more  complex  is,  with  rare  ex¬ 
ceptions,  better  handled  via  the  schema 
flexibility  of  XML.  If  you  need  to  access 
data  from  a  legacy  application  that  vio¬ 
lates  these  precepts,  do  so  via  XML- 
based  Web  services. 

■  Both  XML-based  and  relational  information 
integration.  Eventually,  most  DBMS2  data 
integration  will  be  done  via  XML.  But 
relational  enterprise  information  inte¬ 
gration  will  long  have  a  role  to  play, 
such  as  connecting  core  OLTP  and  data 


warehouse  systems. 

DBMS2  is  the  antithesis 
of  much  current  database 
theory.  Rather  than  fighting 
modularity,  DBMS2  em¬ 
braces  it.  Rather  than  gath¬ 
ering  administrative  tasks  in 
one  huge  hairball,  it  spreads 
them  across  many  simple 
systems.  Above  all,  unlike 
the  Oracle  pipe  dream  of  a 
grand  unified  enterprise  re¬ 
lational  database,  DBMS2  is 
a  pragmatic,  realistic  contin¬ 
uation  of  what  every  large 
enterprise  is  doing  today. 

The  need  and  opportunity  for  DBMS2 
are  driven  by  two  overlapping  trends: 
platform  change  and  schema  explosion. 
For  starters,  DBMS2  depends  on  the  in¬ 
creasing  availability  of  XML  and  Web 
services  technology.  It  will  be  years  be¬ 
fore  XML-based  data-manipulation  lan¬ 
guages  are  sufficiently  robust  to  handle 
the  requirements  of  DBMS2,  but  those 
developments  will  happen,  and  most  big 
software  vendors  will  provide  strong 
support  for  them  in  a  timely  manner. 

Beyond  that,  one  of  the  biggest  rea¬ 
sons  for  embracing  DBMS2  is  a  flood 
of  low-cost  alternatives  to  traditional 
DBMSs.  For  most  enterprises,  relational 
OLTP  is  approaching  commodity  status. 
Microsoft  SQL  Server  is  following  Ora¬ 
cle  up  the  food  chain,  while  MySQL 
(which  is  even  slated  for  SAP  certifica¬ 
tion  in  two  to  three  years,  or  maybe  less) 
nips  at  Microsoft’s  heels. 

Even  more  important,  there’s  been 
an  explosion  in  ultracheap  OLAP  tech¬ 
nologies,  both  in-memory  and  in  appli¬ 
ance  formats.  Most  of  these  have  very 
simple  indexing  schemes  —  some  have 
no  indexes  at  all  —  which  yields  huge 
TOO  advantages  in  storage  costs  and 
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administrative  overhead  alike. 

The  opportunity  provided  by  these 
fledgling  technologies  might  seem  bal¬ 
anced  by  obvious  risks.  But  before  long, 
embracing  them  will  be  the  only  viable 
choice.  The  primary  reason  is  schema 
explosion,  on  multiple  fronts. 

First,  there’s  an  explosion  in  profiles. 
CRM  customer  profiles  (ideally  with  full 
Web  site  click-trail  data),  vendor  pro¬ 
files,  security-oriented  user  profiles,  you 
name  it  —  in  almost  all  cases,  the  avail¬ 
able  information,  and  types  of  informa¬ 
tion,  vary  from  one  profilee  to  the  next. 
Mobile/pervasive  devices  just  worsen 
the  problem,  adding  complexity  in  terms 
of  location,  availability  and  form  factor. 
Centralized,  pre-DBMS2  master  data 
management  will  never  succeed. 

Second,  text  documents  are  becoming 
an  ever  bigger  part  of  IT,  be  they  com¬ 
plex  forms  and  contracts,  maintenance 
manuals,  health  records,  Web  marketing 
content  or  just  e-mail.  Documents  are 
commonly  unpredictable  in  structures 
and  sometimes  in  authoring  and  editing 
metadata  as  well.  And  the  ultimate  solu¬ 
tions  to  making  text  search  work  will  de¬ 
pend  on  further  schema  extension  and 
variability,  in  a  number  of  respects. 

Finally,  IT  needs  to  be  infused  through¬ 
out  with  representations  of  trust.  Securi¬ 
ty,  compliance,  missing  data  —  they  all 
ultimately  require  some  formalized  hier¬ 
archy  of  trust.  So  do  the  multiple  uncer¬ 
tainties  of  search  engine  results,  docu¬ 
ment  author  reliability,  planning  fore¬ 
casts  and  the  like.  The  final  resolution  of 
these  issues  will  require  schema  com¬ 
plexity  beyond  what  relational  systems 
can  realistically  handle. 

Should  you  throw  out  Oracle  and  DB2? 
Hardly.  But  maybe  you  should  reduce 
your  reliance  on  them.  The  move  to 
DBMS2  lets  you  exploit  a  variety  of  data¬ 
base  technology  advances  from  a  variety  - 
of  vendors.  For  specific  product  ideas, 
see  my  blog  at  www.computerworld.com/ 
blogs/monash.  O  55953 
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OPINION: 

The  Elusive  Executive  Sponsor 

Business  leaders  can  be  reluctant  to 
serve  as  the  executive  sponsors  of 
an  IT  project.  Don’t  let  them  off  the 
hook,  Bart  Perkins  says.  He  offers 
some  suggestions  to  get  your 
executives  to  commit.  Page  46 


Brace  yourself:  You  could  be  legal¬ 
ly  responsible  for  worldwide  net¬ 
work  security. 

OK,  that  may  be  an  overstate¬ 
ment,  but  it  does  capture  the 
essence  of  what’s  ahead. 

Companies  that  pass  viruses, 
worms  or  any  type  of  malware  to 
other  companies  via  electronic  transmissions  such  as 
e-mail  could  find  themselves  in  court,  say  legal  and 
security  experts.  And  they  could  be  held  liable  for 
damage  done,  even  if  they  unintentionally  spread 
such  cyberpests. 

“There’s  very  little  question  that  it’s  going  to  come. 
The  concept  of  due  diligence  has  done  nothing  but 
push  its  way  out  into  the  consciousness  of  everyone  in 
this  country,”  says  Charles  Hibnick,  chief  systems  secu¬ 
rity  architect  at  AvMed  Health  Plans  Inc.,  a  health  in¬ 
surance  company  in  Miami. 

The  stage  is  being  set  for  such  action,  experts  say. 
Federal  laws,  government  agencies  and  private  orga¬ 
nizations  are  setting  new  standards  for  network  and 
Internet  security.  Meanwhile,  lawyers  are  testing  var¬ 
ious  legal  theories  for  punishing  cyberspace  crimi¬ 
nals.  And  some  companies  with  established  relation¬ 
ships  are  signing  contracts  detail¬ 
ing  security  expectations  that  pro¬ 
hibit  even  the  accidental  transmis¬ 
sion  of  malware. 

Given  all  this,  can  litigation  be 
far  off? 

“I  do  think  we  are  looking  at  this 
type  of  litigation  in  the  future.  And 
I  think  it’s  going  to  happen  sooner 
rather  than  later,”  says  Rodger 
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Cole,  a  litigation  partner  at  Fenwick  & 
West  LLP  in  Mountain  View,  Calif. 

In  fact,  some  companies  are  already 
pursuing  other  businesses,  albeit  qui¬ 
etly,  to  recoup  losses  resulting  from 
computer-related  problems,  says  Julie 
K.  Davis,  executive  vice  president  at 
Aon  Affinity  Insurance  Services  Inc.  in 
San  Jose  and  co-author  of  e-Risk:  Lia¬ 
bilities  in  a  Wired  World. 

Some  cases  involve  companies  inad¬ 
vertently  releasing  viruses,  worms  and 
the  like,  she  says.  Others  involve  con¬ 
tractual  liability  in  situations  where 
companies  had  agreements  to  keep 
systems  secure.  Davis  says  these  cases 
haven’t  wound  up  in  court  —  yet  — 
because  executives  prefer  to  avoid  the 
media  spotlight  on  such  issues. 

“You  certainly  have  claims.  What 
people  usually  do  is  turn  it  against 
their  own  corporate  insurance  poli¬ 
cies,”  she  says,  adding  that  traditional 
policies  generally  won’t  cover  such 
claims,  however. 

Dangerous  Times 

Given  the  state  of  electronic  communi¬ 
cations,  the  potential  for  getting  into 
trouble  is  staggering. 

“If  you’re  operating  on  the  Internet 
today,  there  is  some  level  of  constant 
attack  activity,”  says  Art  Manion,  an 
Internet  security  analyst  at  the  CERT 
Coordination  Center  at  Carnegie  Mel¬ 
lon  University’s  Software  Engineering 
Institute. 
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We  are  looking  at 
[malware  damage] 
litigation  in  the 
fiiture.  And  I  think 
it’s  going  to 
happen  sooner 
rather  than  later. 

RODGER  COLE, 
LITIGATION  PARTNER, 
FENWICK  &  WEST  LLP 


Viruses,  worms,  Trojan  horses,  bot¬ 
net  zombies,  distributed  denial-of-ser- 
vice  attacks,  hacking,  blended  threats  — 
they’re  all  out  there,  and  many  can  hitch 
rides  with  e-mails  and  electronic  trans¬ 
missions,  including  instant  messages. 

“We’re  up  to  60,000  different  viruses 
out  there,”  observes  Jeff  Platon,  vice 
president  of  product  and  technology 
marketing  for  security  at  Cisco  Sys¬ 
tems  Inc. 

The  threat  is  growing  as  computers 
and  systems  become  increasingly  con¬ 
nected,  not  only  through  the  Internet 
but  through  business  partnerships  that 
establish  connections  and  interfaces. 

“My  security  depends  on  everybody 


else’s  security.  And  that’s  even  more  true 
when  you  have  a  closer  relationship  with 
someone,”  Manion  explains.  “When  you 
open  the  door  to  someone  else,  you’re 
just  extending  the  trust  —  and  the  risk.” 

Companies  might  think  their  bor¬ 
ders  are  secure,  but  if  they  have  a  con¬ 
nection  to  a  business  partner,  perhaps 
that  partner’s  borders  aren’t  as  strong, 
Manion  says.  That’s  a  weak  link  that 
can  let  something  bad  get  through. 

“There  certainly  is  a  great  deal  of 
concern  regarding  the  impact  of  virus¬ 
es  on  the  modern  enterprise  and  IT 
infrastructure.  The  impact  can  be  ex¬ 
traordinary,  and  the  results  can  be  dis¬ 
astrous,”  says  attorney  Gregg  Kirch- 
hoefer,  a  partner  in  the  intellectual 
property  and  technology  transaction 
practice  at  Kirkland  &  Ellis  LLP  in 
Chicago. 

Creative  Litigation 

Bringing  legal  action  in  such  cases  is 
complex,  experts  say.  It’s  difficult  to 
quantify  loss:  How  can  a  company 
prove  the  exact  dollar  amoimt  of  lost 
business  if  a  virus  knocks  out  e-mail  for 
a  day?  It’s  also  diffictilt,  if  not  impossi¬ 
ble,  to  prove  the  origins  of  malware. 

“But  certainly  a  creative  lawyer 
could  come  up  with  a  variety  of  meth¬ 
ods  in  which  liability  could  be  in¬ 
ferred,”  says  Sandra  A.  Jeskie,  a  partner 
in  the  trial  department  at  Philadelphia- 
based  Duane  Morris  LLP  and  a  mem¬ 
ber  of  the  board  of  the  Computer  Law 
Association.  “I  could  see  a  negligence 
claim,  even  if  it  might  be  difficult  to 
prove.  I  could  make  an  argument  that 
if  you  got  infected  and  transmitted  it  to 
me,  you  did  not  properly  protect  me 
because  you  were  so  lax.” 

The  question  of  negligence  comes 
down  to  established  standards,  and 
computer  security  standards  are  evolv¬ 
ing.  Federal  laws  such  as  the  Sarbanes- 
Oxley  Act  and  the  Health  Insurance 
Portability  and  Accountability  Act, 
along  with  industry  standards  such  as 
ISO  17799  and  BS7799,  have  created  ex¬ 
pectations  for  companies  to  meet. 

“Companies  have  to  be  aware  that 
their  behavior,  their  security  and  their 
technology  will  be  measured  against 
something,  either  standards  in  the  in¬ 
dustry  or  what  they  told  their  cus¬ 
tomers  they’d  be  doing,”  says  Melise  R. 
Blakeslee,  a  partner  in  the  Washington 
office  of  the  technology  transactions 
and  e-business  group  at  law  firm 
McDermott  Will  &  Emery  LLP. 

Claiming  negligence  isn’t  the  only 
potential  legal  strategy.  Some  lawyers 
say  trespass,  intentional  interference 
with  existing  or  prospective  business 
relations  and  disturbance  of  quiet  en- 
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What  IT 
Can  Do 


Security  is  the  big  topic  these  days, 
but  some  legal  and  security  exp  'ts 
question  whether  IT  executives 
know  their  risk  for  liability.  '  When 
I  speak  about  it,  they’re  constantly 
shocked  about  the  exposures  that 
are  there,”  says  Sandra  A.  Jeskie. 
a  partner  at  law  firm  Duane  Morris. 

Jeskie  and  others  recommend 
taking  the  following  steps  to  help 
limit  risk  and  legal  exposures- 

Implement  and  maintain  security 
measures  that  are  standard  for  your 
type  of  company  and  industry  sector. 

Work  with  your  legal  department 
to  ensure  that  IT  meets  contractual 
security  obligations.  Attorney  Melise 
R.  Blakeslee  of  McDermott  Will  & 
Emery  says  she’s  concerned  that 
contracts  stipulating  security  steps 
that  partner  companies  must  take 
“just  get  signed  and  put  in  the 
drawer.” 


Educate  employees  about  malware: 
how  to  spot  it,  avoid  it  and  report  it. 

Enforce  computer-related  employ¬ 
ee  policies,  particularly  those  against 
downloading  unauthorized  software. 

Deploy  software  that  scans  for 
unauthorized  software.  Nancy  Flynn, 
executive  director  of  The  ePolicy  In¬ 
stitute,  points  to  employees’  use  of 
instant  messaging  as  a  prime  reason 
for  this  step.  “Malicious  parties  who 
want  to  spread  viruses  are  using  in¬ 
stant  messaging,  and  by  far  the  ma¬ 
jority  of  employees  who  are  using  in¬ 
stant  messaging  are  using  free  soft¬ 
ware,  and  companies  have  no  tools 
in  place  to  protect  them,”  she  says. 

Limit  access  to  your  system.  Art 
Manion,  an  Internet  security  analyst 
at  the  CERT  Coordination  Center  at 
Carnegie  Mellon  University,  pro¬ 
motes  the  concept  of  “least  privi¬ 
lege,”  where  IT  departments  give 
users  and  business  partners  only  the 
access  they  need.  “Don’t  give  some¬ 
one  more  access  just  because  it’s 
convenient,”  Manion  says. 

-  Mary  K.  Pratt 
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Companies  are  increasingly  using 
contracts  to  help  ensure  security 
among  their  vendors  and  partners. 
Here’s  an  example  of  terms  used 
by  one  financial  institufion, 
according  to  Melise  R.  Bhdreslee, 
an  attorney  at  McDermott  Will  & 
Emery: 

“Provider  represents,  warrants  and 
covenants  that  the  System . . ,  shall  not 
contain  or  transmit  or  cause  to  be  trans¬ 
mitted  to  Subscriber ...  any  computer 
code  designed  to  disrupt,  disable  or 
otherwise  impede,  disrupt  or  distort  the 
operation  of  the  System  or  any  other 
software,  firmware,  hardware,  computer 
system  or  network  (sometimes  referred 
to  as  Viruses'  or  ‘worms’) . . .  that  would 


permit  Provider  or  an  unauthorized  party 
to  access  the  System,  or  would  allow 
any  other  sirhilar  harmfulmalicious  or 
hidden  procedures,  routines  or  mecha¬ 
nisms  which  would  cause  such  pro¬ 
grams  to  cease  functioning  or  to  dam¬ 
age,  impede  or  corrupt  any  data,  com¬ 
munications.  software,  firmware,  hard¬ 
ware,  computer  system  or  network  or 
othenwise  interfere  with  operations. 

Provider  shall  implement  and  main¬ 
tain  security  systems  and  procedures 
to  prevent  unauthorized  access  to 
Subscriber’s  or  its  Affiliates’  systems 
through  any  network  connections  be¬ 
tween  Sub^riber’s  or  any  of  its  Affili¬ 
ates' network  and  the  System.” 

-  Mary  K  Pratt 
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More 

TO  COME 


Legal  experts  see  several  other  areas 
vvhere  computer-related  actions  could 
land  companies  in  court. 

Engaging  in  an  “active  defense"  -  in 
other  words,  retaliating  -  is  one  example, 
says  Dallas-based  attorney  Benjamin 
Wright.  This  occurs  when  companies 
take  aggressive  action  to  stop  an  attack 
or  other  internet-based  activity.  For  ex¬ 
ample,  a  company  might  send  junk  data 
back  to  a  server  that’s  sending  spam  jn 
an  attempt  to  disable  that  server. 

“There  are  questions  out  there  re¬ 
garding  whether  it’s  legal  to  do  things 


that  might  take  down  that  server,” 
Wright  explains.  “Are  you  somehow 
trespassing  on  that  server  or  violating 
some  computer  law?” 

CIOs  who  take  an  active  defense 
might  also  file  a  lawsuit  against  the  serv¬ 
er’s  owner  as  a  way  to  involve  the  courts 
and  “make  sure  they’re  not  doing  any¬ 
thing  illegal,”  he  says. 

Companies  could  be  held  liable  for 
an  employee’s  malicious  activity - 
using  the  company’s  equipment  to  re¬ 
lease  a  virus,  for  example,  says  attorney 
Sandra  A.  Jeskie  of  Duane  Morris  LLP, 
Companies  also  could  find  them¬ 
selves  in  legal  trouble  for  any  illegal 
peer-to-peer  file  sharing  taking  place 
on  their  systems,  Jeskie  says.  Even  if 
executives  don’t  know  about  it,  plain¬ 
tiffs  could  argue  that  they  should  have 
been  monitoring  for  such  activity. 

-  Mary  K.  Pratt 


joyment  could  apply  as  well. 

“These  are  common  law  doctrines 
from  England.  Here  the  disturbance 
would  be  disturbing  your  own  right 
to  use  your  computer  servers,”  Cole 
explains.  “[Lawyers]  have  creatively 
used  old  legal  doctrine  to  address  the 
question  of  liability  with  spam,  and  I 
think  the  next  wave  of  litigation  will 


be  in  the  virus  area.” 

Far-fetched?  Not  quite.  Jeskie  points 
to  the  case  of  Intel  Corp.  v.  Hamidi 
in  2003,  where  Intel  accused  former 
employee  Kourosh  Kenneth  Hamidi 
of  trespass  for  inappropriate  use  of 
e-mail.  Although  Intel  was  unsuccess¬ 
ful  in  its  claim,  Jeskie  says  the  well- 
known  case  shows  how  old  laws 


can  be  used  today. 

Companies  are  also  using  contracts 
to  prevent  such  situations,  experts  say. 
“It  is  becoming  increasingly  common 
to  see  a  clause  that  deals  with  the  other 
party’s  duties  to  deal  with  worms  and 
viruses  and  other  types  of  things  that 
can  cause  disruptions,”  Blakeslee  says. 

These  clauses  give  companies  an¬ 
other  course  of  legal  action:  They  can 
claim  breach  of  contract  if  malware 
gets  through  and  the  contractual  secu¬ 
rity  measures  weren’t  up  to  snuff. 

“You  can  track  the  use  of  that  lan¬ 
guage  with  the  growth  of  viruses,” 
Kirchhoefer  says. 

Not  everyone  sees  increasing  litiga¬ 
tion  forthcoming,  however,  especially 
in  cases  where  malware  is  passed 
along  via  e-mail. 

“Yes,  people  are  thinking  about  the 
general  topic,  but  liability  for  sending  a 
virus  through  an  e-mail  looks  to  be  one 
of  the  more  difficult  places  for  a  suc¬ 
cessful  lawsuit.  And  if  you  see  a  case 
like  that,  it’s  going  to  be  a  real  fluke,” 
says  Benjamin  Wright,  a  Dallas  attor¬ 
ney  who  wrote  Business  Law  and  Com¬ 
puter  Security  (SANS  Press,  2004). 

Kirchhoefer  agrees  that  a  negligence 
lawsuit  against  a  company  that  passed 
along  malware  via  e-mail  would  be  a 
hard  case  to  win.  After  all,  he  says, 
both  companies  share  responsibility 
for  keeping  their  systems  safe. 
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AND  AUTHOR  OF  BUSINESS  LAW 
AND  COMPUTER  SECURITY 


But  that  won’t  keep  companies  from 
filing  suit,  some  say. 

“We’re  always  looking  for  someone 
else  to  assume  the  blame,  to  assume 
the  liability,”  says  Nancy  Flynn, 
founder  and  executive  director  of  The 
ePolicy  Institute  in  Columbus,  Ohio. 
“So  it  would  make  sense  that  at  some 
point  someone  will  try  to  sue  over  the 
issue  of  a  virus  getting  into  the  sys¬ 
tem.”  O  55572 


Pratt  is  a  Computerworld  contributing 
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The  new  wave  of  handheld  consumer  devices  in  the 
workplace  means  new  headaches  for  IT  managers. 


An  it  manager  wandering 
through  the  exhibits  at  a 
mobile  and  wireless  com¬ 
puting  expo  might  well 
wonder  where  the  explo¬ 
sion  of  new  applications 
and  devices,  many  created  for  the  con¬ 
sumer  world,  will  lead. 

How  can  a  company  even  begin 
to  manage  Uve  TV  on  cellu¬ 
lar  phones?  How  will  the 
proliferating  wireless 
e-mail  be  stored?  How  will 
it  all  be  made  secure,  with 
so  many  different  networks  and 
devices  and  applications? 

Companies  have  faced,  and  some¬ 
times  ignored,  the  demands  of  manag¬ 
ing  handhelds  and  wireless  devices  for 
years.  IT  managers  waver  between  two 


approaches:  Throw  open  the  flood¬ 
gates  and  try  to  accommodate  what’s 
coming,  or  throw  up  your  hands  and 
ban  everything  except  what  you  deem 
acceptable. 

But  the  problem  will  become  more 
complex  as  new  college  grads  arrive 
at  work  —  and  bring  the  consumer- 
focused  devices  and  applications  they 
see  not  as  toys  but  as  essen¬ 
tial  tools  they  have  integrat¬ 
ed  into  their  lives. 

When  a  young  “prosumer” 
(short  for  professional/ 
consumer)  shows  up  with  streaming 
video  clips,  live  broadcast  TV  and  a 
whole  range  of  instant  messaging,  col¬ 
laboration  and  music-downloading 
options  on  his  smart  phone,  how  will 
IT  hold  the  line  on  standards? 


And  if  he  wants  to  use  the  device  for 
work-related  e-mail,  access  to  corporate 
databases  or  storage  of  corporate  data, 
will  IT  restrict  the  access  pathway? 
What  happens  when  that  worker  resists 
using  separate  devices  for  work  and 
personal  life?  Will  IT  allow  frivolous 
functions  to  nm  on  the  same  approved 
devices  as  mission-critical  ones? 

Analysts  say  that  over  the  next 
two  years,  these  and  other  scenarios 
will  force  IT  managers  into  the  role 
of  enforcer  as  never  before.  “The 
IT  department  has  to  do  something 
about  more  and  more  consumer-type 
devices  entering  the  enterprise,”  says 
Roberta  Cozza,  a  U.K.-based  analyst  at 
Gartner  Inc. 

This  will  require  careful  planning  at 
the  highest  management  levels  to  de- 


Handling 
Handherds 

IN  AN  APRIL  REPORT,  Gartner  delineat¬ 
ed  three  logical  levels  of  support  for  hand¬ 
helds  and  smart  phones,  from  treating 
them  like  PCs  to  giving  them  no  support 
at  all. 

The  authors  of  the  report  prefer  the  ' 

middle  road.  “There  must  be  a  more  toler¬ 
ated  kind  of  support  given  users  apart 
from  bans  or  fully  supporting  them,”  says 
analyst  and  co-author  Roberta  Cozza. 

The  tolerated  approach  gives  IT  a 
“safety  valve  for  the  inevitable  claim  from 
users  that  there  is  something  better  on 
the  market."  she  notes. 

This  approach  requires  that  IT  do 
the  following; 


■  Provide  data-interface  support  to 
personal  information  manager  (PIM)  and 
e-mail  applications,  as  long  as  the  user . : 
makes  the  connection  through  software 

I  selected  by  his  company, 

OnfTXT)  txxrxr 

■  Select  PIM  and  e-mail  synchroniza^ 
tkm  applications  that  support  a  wide ; 
range  of  consumer  handheld^ 

nnnnoimmr 

■  Provide  strict  security  guidelines  and 

handheld  policies,  and  clearly  explain 
them  to  user 

■  In^l  security  software  on  a  server 
that  enforces  a  password  when  a  user 
powers  on. 

ixxin  tr  ^ 


Encrypt  stored  datin 

oa: 

■  Refuse  to  purchase  devices  for  the 

user,  answer  users’  questions  about  them 
or  develop  applications  for  the  handhelds. 


GUIDELINES 

■  If  a  company  provides  handhelds  to 
users,  it  should  clearly  state  that  no  appli¬ 
cation  development  will  be  supported, 
because  it  would  tax  IT  resources. 

■  If  a  company  supports  development  of 
an  unusual  custom  application,  IT  should 
choose  the  device  and  support  and  tradcft 
throughout  its  iifetime,  just  as  it  would  a 
desktop  or  laptop. 

■  IT  managers  should  set  up  a  “cafeteria” 
plan  under  which  users  can  choose  from  a 
predefined  list  of  supported  hardware  and 
software  that  includes  a  budget  amount 
for  each  selection,  based  on  actual  cost 
or  total  cost  of  ownership.  Such  a  plan  rec¬ 
ognizes  that  people  -  even  within  a  work¬ 
group  -  have  individual  needs.  The  old  one- 
device-fits-all  approach  “will  come  under 
further  attacks  as  the  number  of  technology 
options  for  users  explodes,”  Gartner  says. 

-Matt  Hamblen 
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velop  policies  that  control  devices  and 
applications  to  limit  security  lapses 
and  IT  headaches  while  still  winning 
the  support  of  end  users. 

Two  Approaches 

Some  IT  managers  are  already  holding 
a  tough  line  on  handhelds  and  wireless 
devices,  while  others  have  tried  to 
accommodate  innovations. 

“Why  do  we  in  IT  care  what  that 
new  hire  just  out  of  college  wants  to 
run  on  his  phone  or  device?”  says  the 
assistant  vice  president  of  IT  compli¬ 
ance  at  a  Western  bank.  (She  asked  to 
remain  anonymous  because  her  com¬ 
pany  is  in  acquisition  talks.)  She  be¬ 
lieves  the  bank  should  ignore  user 
pleas  for  consumer  applications  and  set 
strict  controls  on  devices  and  access. 

“You  have  to  protect  the  enterprise,” 
she  says.  “You  have  to  protect  the  cus¬ 
tomer.  It’s  a  huge  thing  for  a  bank.” 

Lapses  that  could  result  in  leaked 
customer  information  could  bring  se¬ 
vere  federal  fines  as  well  as  damage  to 
the  bank’s  reputation,  the  vice  presi¬ 
dent  explains.  “That’s  huge,  and  we 
could  not  be  in  business  if  customer 
information  got  out,”  she  says. 

The  bank  limits  devices  used  by 
many  of  its  2,300  workers.  A  typical 
knowledge  worker  carries  a  laptop,  a 
cell  phone  and  a  BlackBerry  handheld 
capable  of  transmitting  encrypted 


e-mail.  Handhelds  and  phones  are 
treated  like  desktop  computers,  with 
regard  to  access  privileges  and  rules 
about  what  data  can  and  can’t  be 
loaded  on  them,  the  compliance 
officer  says. 

Workers  aren’t  allowed  to  attach  a 
personal  device  to  the  bank’s  network, 
and  they  can’t  use  the  Universal  Serial 
Bus  ports  of  their  laptops  for  storing 
corporate  data,  to  prevent  it  from  being 
transferred  to  a  personal  storage  device. 

“Control  is  important,”  the  bank  ex¬ 
ecutive  notes.  “You  can’t  be  compliant 
[with  federal  rules  such  as  the  Sar- 
banes-Oxley  Act]  if  you  don’t  have 
control.” 

In  contrast,  at  consumer  electronics 
retailer  Best  Buy  Co.  in  Richfield, 
Minn.,  4,000  employees  are  allowed  to 
use  a  fairly  wide  range  of  devices,  in¬ 
cluding  BlackBerry  and  Audiovox 
handhelds  and  Palm  OS  devices  such 
as  the  Treo,  says  Jeff  Robles,  sourcing 
manager  for  enterprise  products  and 
transportation  at  Best  Buy. 

“Given  we  are  a  technology  compa¬ 
ny,  we  understand  there  are  business 
requirements  that  will  govern  the  use 
of  our  devices,  so  we  attempt  to  man¬ 
age  to  the  need  while  mitigating  any 
security  issues,”  he  says. 

To  do  this.  Best  Buy  relies  on  several 
management  software  products  from 
Traq-wireless  Inc.  in  Austin,  including 


Mobile  Source.  Traq-wireless  says  its 
software  is  designed  to  reduce  costs 
and  mitigate  security  and  intellectual 
property  risks  by  giving  IT  managers 
visibility  into  which  employees  have 
which  devices  and  services. 

More  to  Come 

Regardless  of  today’s  approach,  the 
next  few  years  will  challenge  IT  shops 
to  keep  up  with  multiple  operating  sys¬ 
tems,  wireless  carriers,  and  new  de¬ 
vices  and  applications,  analysts  say. 

“It’s  going  to  be  a  lot  worse,” 
says  Bob  Egan,  an  analyst  at  Mobile 
Competency  Inc.  in  North  Providence, 
R.I.,  citing  the  proliferation  of  cheap 
consumer-centric  devices,  including 
camera  phones  and  mass  storage  de¬ 
vices.  “It’s  a  new  frontier.  There’s  not 
a  single  company  out  there  doing  a 
very  good  job  managing  mobile  devices 
as  a  class.” 

For  example,  Egan  says,  most  com¬ 
panies  overlook  the  issue  of  protecting 
intellectual  property  on  smart  phones. 
When  a  salesman  puts  customer  con¬ 
tact  data  on  a  phone,  that  information 
can  be  lost  if  he  changes  jobs. 

Some  mobile  operators  such  as 
Sprint  Corp.  are  beginning  to  offer  ser¬ 
vices  to  manage  mobile  hardware  and 
software,  Egan  says,  but  outsourcing 
mobile  security  is  a  step  many  IT 
shops  may  resist. 


As  for  applications,  Egan  says  some 
companies  are  trying  to  enforce  a 
list  of  approved  software  for  employ¬ 
ees,  but  that’s  difficult  to  implement 
on  a  practical  level.  Egan  says  the 
same  management  model  that  corpora¬ 
tions  use  for  purchasing  a  laptop  and 
provisioning  and  supporting  it  should 
apply  to  a  phone  or  handheld  device. 
But  with  handhelds,  rules  are  harder 
to  enforce. 

There  are  other  potential  issues,  he 
says.  What  if  an  employee  purchases 
a  device  himself  but  uses  it  for  work? 
Can  the  company  demand  access  to 
the  data?  And  what  happens  if  the 
device  is  lost  or  stolen?  What  about 
archiving  e-mail  and  capturing  and 
archiving  short  text  messages? 

“Consumer  trends  such  as  text  mes¬ 
sages  need  to  be  on  the  radar  of  CIOs 
and  IT  managers,  because  they  are 
translating  into  main  user  issues  in  the 
enterprise,”  Egan  says. 

Gartner  stated  in  a  recent  report 
that  the  trend  of  consumer  devices 
entering  the  workplace  “creates  havoc 
for  IT  organizations  whose  operations 
are  based  on  standards  and  stable 
platforms.” 

Companies  are  protecting  the  front 
end  of  the  organization  with  a  firewall, 
the  report  says,  but  the  back  end  is 
protected  “only  by  the  good  intentions 
of  employees.”  O  55580 
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by  night  workers  are  rooted 
in  feeling  disconnected  from 
management,  especially  dur¬ 
ing  shifts  when  few  managers 
are  on  hand. 

“What  often  happens  is  that 
people  become  a  team  that 
operates  independently  of 
the  company,”  says  Betsy  Con¬ 
nelly,  president  of  Circadian 
Technologies  Inc.,  a  Lexing¬ 
ton,  Mass.-based  research  and 
consulting  firm  specializing 
in  extended  hours  operations. 
“That  can  lead  to  creative 
ideas,  but  also  to  an  adversari¬ 
al  relationship  with  the  rest  of 
the  company.” 

That  animosity  can  heat  up 
if  night-shift  workers  sense 
that  they  aren’t  being  heard. 
Renee  Cornair,  a  computer 
analyst  who  works  from  8:30 
p.m.  to  7  a.m.  at  The  Orange 
County  Register,  a  daily  news¬ 
paper  with  headquarters  in 
Santa  Ana,  Calif.,  says  that  she 
routinely  e-mails  managers 
and  associates  to  report  issues 
that  crop  up  during  the  night 
and  to  suggest  resolutions. 

“The  problem  is  that  people 
are  overwhelmed  by  e-mail,  so 
it’s  difficult  to  get  them  to  read 
those  communiques,”  Cornair 
says,  adding  that  important 
information  from  manage¬ 
ment  can  also  slip  through 
the  cracks  when  meetings  are 
held  when  night  workers  are 
sleeping.  “Without  communi¬ 
cation,  you’re  cut  off  from  the 
rest  of  IT,  from  knowing  what 
the  business  needs  are,  what 
projects  are  moving  forward, 
what  the  timelines  are,  what 
the  service  levels  are  evolving 
to,”  she  says. 

Resolving  thorny  technical 
problems  without  the  help  of 
supervisors  can  be  another 
source  of  stress.  “You  can’t  just 
know  what  to  fix.  You  have  to 
know  why  it  works  and  how  to 
apply  it  to  different  situations,” 
explains  Rishi  Maharaj,  a  help 
desk  technician  on  the  4  p.m.- 
to-midnight  shift  at  Willow 
CSN  Inc.,  a  Miramar,  Fla.- 
based  company  that  provides 
virtual  call  center  services. 

What  to  Do 

The  following  are  steps  that 
IT  managers  can  take  to  help 
their  night-shift  crews  be  more 
productive  and  content: 


rn  AST  YEAR,  a  veteran 

^  IT  manager  who  had 

spent  her  career  work- 
ing  traditional  busi- 
: _ 1"  ..\ness  hours  at  a  Cali¬ 

fornia  entertainment  company 
switched  to  a  shift  that  ended 
at  midnight.  It  was  an  eye- 
opener.  “You  do  nothing  but 
sleep  and  work  on  the  days 
you  work.  You  really  feel  that 
you  have  nothing  to  do  with 
the  ‘business’  of  the  business 
anymore.  It  was  the  most  iso¬ 
lating  experience  profession¬ 
ally  I  have  ever  had,”  she  says. 

For  decades,  many  IT  night- 
shift  workers  have  echoed 
similar  sentiments.  Some  peo¬ 
ple  prefer  to  work  during  the 
wee  hours.  But  even  die-hard 
night  owls  struggle  with  the 
physical  and  psychological 
demands  of  working  when 
everyone  else  is  asleep. 

While  it’s  difficult  to  esti¬ 
mate  how  many  IT  profession¬ 
als  are  on  the  job  after  dark, 
their  numbers  are  likely  to 
multiply.  “Increasingly,  multi¬ 
national  companies  are  cen¬ 


tralizing  their  applications 
and  related  infrastructures  to 
achieve  lower  operating  costs 
and  better  systems  integra¬ 
tion.  Round-the-clock  IT  op¬ 
erations  are  often  essential  to 
these  global  initiatives,”  says 
Paul  Hamerman,  an  analyst  at 
Cambridge,  Mass.-based  For¬ 
rester  Research  Inc. 

The  Fatigue  Factor 

Studies  show  that  night-shift 
workers  sleep  less  than  people 
who  work  during  the  day. 
When  fatigue  sets  in,  produc¬ 
tivity  can  plummet.  Changing 
sleep  hours  on  days  off  can  in¬ 
crease  the  effect. 

“That’s  like  going  to  Europe 
for  the  weekend.  If  your  body 
is  usually  asleep  at  a  time 
when  you  now  have  to  be 
awake  and  on  the  job,  you’ll 
feel  drowsy  and  be  more  prone 
to  accidents  and  mistakes,” 
says  John  Eickholt,  a  physician 
who  is  medical  director  of  the 
Worthington  Sleep  Wake  Cen¬ 
ter  in  Columbus,  Ohio. 

Other  hardships  reported 


Managing  IT  workers  on 
the  night  shift  raises  unique 
challenges.  BY  JUDY  ARTUNIAN 


SLEEPING 


■  Night  workers  get  an  aver¬ 
age  of  five  hours  of  sleep  in 
a  24-hour  period.  That’s  two 
hours  less  than  the  minimum 
amount  recommended  by 
sleep  experts. 

■  Up  to  15%  of  night-shift 
workers  suffer  from  sleep 
apnea,  a  potentially  fatal 
condition,  compared  with  2% 
to  3%  of  daytime  workers. 

■  Employee  turnover  in  night- 
shift  operations  is  10%,  com¬ 
pared  with  3%  for  U.S.  com¬ 
panies  overall. 

■  Absenteeism  among  the 
nighttime  workforce  is  9%, 
compared  with  3%  for  day¬ 
time  workers. 

■  When  night-shift  employees 
select  their  own  schedules, 
their  absenteeism  rate  goes 
down  to  8%. 


SOURCE:  CIRCADIAN  TECHNOLOGIES  INC. 

Recognize  the  night  shift’s 
achievements.  “They  save  our 
butts  while  we’re  sleeping,” 
says  Christopher  Faulkner, 
CEO  of  C  I  Host  Inc.,  a  Web 
hosting  and  data  center  man¬ 
agement  company  in  Bedford, 
Texas.  “During  the  day,  every¬ 
one  can  congratulate  someone 
who  does  a  good  job.  But  you 
have  to  make  an  effort  to  re¬ 
ward  the  night  guys.” 

Don’t  let  low  morale  fester. 
Connelly  advises  gauging  em¬ 
ployees’  moods  by  conducting 
a  confidential  employee  sur¬ 
vey.  In  particular,  look  at  why 
employees  take  sick  days.  “Ac¬ 
cording  to  our  surveys,  only 
one-third  of  employee  ab¬ 
sences  are  related  to  being 
sick,”  she  says.  “Find  out  why 
they’re  really  out.” 

Keep  them  busy.  According  to 
Circadian  Technologies,  the 
more  idle  time  night  workers 
have,  the  higher  their  rate  of 
absenteeism.  Connelly  sug¬ 
gests  setting  work  schedules 
around  predictable  ebbs  and 
flows  in  work  volume.  If  that’s 
not  feasible,  look  for  ways  that 
employees  can  fill  their  free 
time  constructively.  For  exam¬ 
ple,  C  I  Host  recently  offered  a 
cash  bonus  to  graveyard-shift 
workers  who  revised  one  of 


the  company’s  online  manuals 
during  their  idle  hours. 

Watch  those  shift  times.  Be¬ 
cause  of  physiology,  most  peo¬ 
ple  experience  a  lull  in  alert¬ 
ness  between  3  a.m.  and  6  a.m. 

That  means  if  you  drive  to  or 
from  work  during  that  stretch, 
you  have  a  greater  risk  of  be¬ 
ing  in  a  traffic  accident,  Con¬ 
nelly  says. 

Change  schedules  with  care. 

Frequent  switching  between 
day  and  night  shifts  can  wreak 
havoc  with  the  body  clock.  If 
you  must  rotate  shifts,  Eick¬ 
holt  says,  let  employees  work 
for  two  to  three  months  on 
one  shift  and  then  move  them 
to  a  later  shift. 

At  Atlanta-based  United 
Parcel  Service  Inc.,  computer 
operations  employees  change 
shifts  every  four  months.  “We 
like  to  give  them  at  least  one 
month’s  notice.  If  they  have  a 
two-working-spouse  family 
or  a  child  they  need  to  take 
care  of,  they  can  make  adjust¬ 
ments,”  says  Ed  Zolcinski,  di¬ 
rector  of  worldwide  data  cen¬ 
ter  operations.  “That’s  proba¬ 
bly  one  of  the  most  important 
things  we  do  for  them.”  The 
company  says  its  aimual  em¬ 
ployee  opinion  survey  shows 
that  employees  are  satisfied 
with  this  arrangement. 

Create  a  healthful  work  environ¬ 
ment.  Eickholt  suggests  these 
energy-boosting  measures: 

■  Install  full-spectrum  light¬ 
ing  that’s  as  bright  as  possible, 
without  compromising  com¬ 
fort  and  safety. 

■  To  keep  drowsiness  at  bay, 
provide  food  choices  such  as 
fruits,  vegetables  and  nuts 
rather  than  sugary  snacks. 

■  Encourage  employees  to 
move  around.  Even  short 
walks  across  the  room  can 
help  ward  off  sleepiness. 

Finally,  tell  new  night-shift 
workers  what  to  expect. 

“Make  sure  people  understand 
what  this  kind  of  commitment 
to  the  schedule  means,”  says  > 

the  entertainment  company  ' 

IT  manager,  who  requested 
anonymity.  “Make  sure  it’s  the 
right  fit  for  the  right  people.” 

O  55582 


Artunian  is  a  freelance  writer  in 
Newport  Beach,  Calif.  Contact 
her  at  jartunian@sbcglobal.net. 
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Throw  Out  the  Rules 


Leading  an  elite  team 
on  a  mission  requires 
a  new  approach 

Convene  the  elite  of  your 
company  for  a  v^orld- 
changing  project,  and  you 
have  a  virtuoso  team. 
Talent,  energy,  ambition, 
intensity,  ego,  risk  — 
these  teams  have  it  all 
in  spades.  And  they  play 
by  a  different  set  of  rules. 
In  this  month’s  Harvard 
Business  Review,  co-authors  Bill  Fischer 
and  Andy  Boynton  discuss  their  study 
of  virtuoso  teams  in  20  top  companies. 
Boynton,  the  dean  of  Boston  College’s 
Carroll  School  of  Management,  told 
Computerworld’s  Kathleen  Melymuka 
that  at  this  level,  there’s  no  room  for  nice. 

What’s  a  virtuoso  team?  A  team  that 
has  the  explicit  mission  to  change  the 
world  —  big  change,  big  objectives,  a 
brand-new  system  never  done  before. 
A  fmancial  services  firm  we  looked  at 
worked  on  a  mass  customization  proj¬ 


ect  —  a  total  revamp  to  personalize 
financial  services.  A  consumer  goods 
company  created  a  global  supply  chain 
project.  It’s  about  a  breakthrough.  And 
[the  team  is]  composed  of  the  very 
best  talent  obtainable,  role  by  role:  a 
team  of  superstars. 

Yet  you  say  most  companies  deliberately 
avoid  creating  virtuoso  teams.  Why? 

Most  companies  want  to  avoid  getting 
a  bunch  of  big  egos  and  strong  wills  on 
a  team,  because  they’re  afraid  of  too 
much  tension  and  conflict.  They  look 
at  who’s  available,  who  has  experience, 
and  they  look  for  harmony  —  people 
that  will  get  along.  Not  every  project 
deserves  a  virtuoso  team,  but  every  or¬ 
ganization  has  some  projects  that  do. 

How  does  the  approach  to  teamwork 
differ?  Several  things.  There’s  almost 
a  frenetic  energy  in  how  they  work. 

It’s  far  more  intense  than  in  a  normal 
team.  Also,  there’s  a  lot  more  direct, 
no-holds-barred  dialogue.  We  say  a 
polite  team  will  give  you  polite  results. 
These  are  not  polite  teams.  They  work 
together  physically  and  intensely  — 
not  by  e-mail  and  phone.  There  is 


speed  —  rapid  prototyping  and  rapid 
movement  of  ideas.  There’s  also  a  very 
clear  statement  of  what  they’re  trying 
to  do  and  not  do  upfront.  And  there’s 
something  in  it  for  everybody. 

You  emphasize  close  quarters  and  tight 
time  constraints.  What  does  that  do  for 
the  team?  In  concert  with  other  things, 
it  ensures  true  collaboration  where 
ideas,  not  tasks,  are  the  focus.  Where 
people  are  belly  to  belly  and  they  feel 
they’re  under  pressure,  there’s  a  lot 
more  direct  dialogue,  a  lot  of  intima¬ 
cy  and  an  intense  blending  of  skills. 
There’s  an  acceleration  of  momentum. 
That’s  the  way  you  want  to  set  it  up  to 
make  it  work  well. 

Why  is  it  so  important  not  to  be  polite? 

There  are  so  many  obstacles  to  getting 
the  best  ideas  out  on  the  table.  Hier¬ 
archy  drives  ideas;  the  boss  says  some¬ 
thing,  and  everybody  agrees.  Here, 
you’re  creating  a  real  marketplace  for 
ideas.  People  aren’t  worried  about  the 
consequences  of  what  they  say. 

What  kind  of  characteristics  would  the 
team  manager  require?  He  has  to  be  a 

conduit  of  ideas  from  the  outside.  He 
has  to  listen  extraordinarily  well.  He 
has  to  be  supremely  self-confident,  be¬ 
cause  he’s  got  to  let  those  egos  and  the 


I  ■  Choose  members  for  availability 
I,  ■  Emphasize  the  collective 


■  Focus  on  tasks 

i  ■  Work  individually  and  remotely 
I  ■  Address  the  average  customer 

r 


viRTUoscrtaMas 


I  ■  Choose  members  for  skills 
;  ■  Emphasize  the  individual 
I  ■  Focus  on  ideas 
;  ■  Work  together  intensively 
j  ■  Address  the  sophisticated  customer 


“I”  soar.  Nothing  dumbs  a  team  down 
more  than  everything  being  “we.” 
Compromise  is  the  sire  of  mediocracy. 
It’s  not  about  compromise:  it’s  about 
getting  there.  And  he  has  to  value  fail¬ 
ure  as  an  opportunity  to  learn. 

What  do  you  think  is  the  biggest  challenge  in 
managing  a  virtuoso  team?  You  need  a 
manager  that  understands  the  rules  of 
the  game;  someone  who’s  direct,  who’s 
there  to  get  results,  not  to  be  polite; 
someone  who  won’t  let  them  accept 
compromises;  someone  who  wants  to 
change  the  world  and  will  keep  that  am¬ 
bitious  target  in  front  of  them.  Leader¬ 
ship  is  a  contact  sport.  It’s  a  whole  differ¬ 
ent  environment,  and  if  you  don’t  know 
that  going  in,  it  can  unravel.  O  55578 


billion 

in  loans  for  a  leading  provider. 

In  a  highly  regulated  industry,  eight  million  borrowers  count 
on  fast,  reliable  service  when  CA  software  automates  systems 
and  processes. To  manage  your  customer  relationships  with 
the  same  degree  of  confidence,  call  a  CA  representative  at 

1-888-423-1000  or  visit  ca.com/didyouknow. 


Simplify 

Automate 

Secure 


Computer  Associates® 
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TECH  JOB  LOSSES 


[BIVNA 

=0Ra 

ilA 

BUT  UP 
COVER  Yl 

YEAR 

EAR 

With  cautious  optimism,  outplace 
ment  services  vendor  Challenger, 

Gray  &  Christmas  inc.  announced 
last  month  that  second-quarter  tech- 
noiogy  job  losses  in  the  U.S.  were 
down  33%  from  the  previous  quarter. 
But  it  said  the  cuts  were  stili  running 
16%  higher  than  in  the  same  quarter 
one  year  ago.  I 

Moreover,  job  losses  in  the  technolf 
ogy  field  accounted  for  18.4%  of  ail 
layoffs  announced  in  the  first  six  ; 
months  of  2005,  the  company  said, 
whereas  one  year  earlier,  tech  job 


cuts  represented  13%  of  the  six- 
month  totai. 

The  most  recent  job  losses  took 
place  largely  at  computer  firms, 
which  have  seen  weak  demand  for 
semiconductors  as  well  as  an  appv- 
ent  reluctance  on  the  part  of  corpo¬ 
rate  customers  to  invest  in  new  tech¬ 
nology,  according  to  the  survey.  Job 
cuts  in  the  computer  sector  totaled 
20,470,  or  51.5%  of  all  technology- 
related  job  cuts  in  the  second  quarter. 

-  ToddR.  Weiss 


TECHNOLOGY  JOB  CUTS 


1;  Q2’04 

1 

Q1  '05 
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CEOs  Turn  More  Glum 


CHIEF  EXECUTIVES  across  the  U.S. 
are  less  confident  about  the  state 
of  the  economy  now  than  they 
were  in  the  first  quarter  of  this 
year.  The  Conference  Board  Inc. 
reported  last  month  in  its  latest 
survey  of  CEOs. 

The  CEO  Confi¬ 
dence  Measure  fell 
to  55  in  the  sec¬ 
ond  quarter,  after 
registering  at  62 
in  the  year's  first 
quarter.  A  reading 
of  more  than  50 
points  reflects 
more  positive  than 
negative  respons- 


Percentage  of  CEOs 
surveyed  who  expect 
economic  conditions 
to  improve  in  the 
coming  months,  down 
from  43%  in  Q1. 


es.  The  survey  includes  about 
100  business  leaders  in  a  wide 
range  of  industries. 

CEOs’  assessments  of  current 
conditions  deteriorated  over  the 
last  quarter.  Approximately  44% 
of  CEOs  claimed  that 
current  economic 
conditions  have  im¬ 
proved,  down  from 
nearly  59%  in  the 
last  quarter.  In  as¬ 
sessing  their  own 
industries,  close  to 
38%  Sciid  conditions 
are  better,  down 
from  approximately 
57%  last  quarter. 


COMPANY:  Tatum 
Partners,  Atlanta 


Just  as  enterprises 
are  relying  more  on 
^  _  contract  IT  labor 

A  nowadays,  so  too 

U  are  organizations 

^  making  more  exten¬ 

sive  use  of  temporary  CIOs,  or  “CIOs 
for  hire.” 

In  some  instances,  CIOs  are 
brought  in  on  a  short-term  basis  to 
help  slash  costs,  oversee  a  major  ERP 
implementation  or  help  orchestrate 
other  strateg  ic  in  itiatives. 

Tatum  Partners,  an  Atlanta-based 
firm  that  places  full-  and  part-time  IT 
and  financial  executives,  recently 
named  Richard  D’Amaro,  former  di¬ 
rector  of  KPMG’s  health  care  practice, 
as  its  CEO.  Computerworld’s  Thomas 
Hoffman  spoke  to  D’Amaro  about  the 
current  hiring  environment  for  CIOs. 


What  are  some  of  the  skills  that  clients 
are  looking  for  from  CIOs  these  days?  A 

lot  of  our  clients  are  dealing  with  regulatory  is¬ 
sues  and  the  necessary  skills  to  optimize  their 
applications  to  make  them  impactful  to  the 
overall  business. 


c. 


It  used  to  be  that  when  you  went  into  an  or¬ 
ganization,  there  were  silos  -  a  chief  marketing 
officer,  a  chief  financial  officer,  a  chief  informa¬ 
tion  officer.  Now,  for  a  company  to  hit  on  all 
cylinders  and  serve  the  customer,  the  skills  that 
used  to  be  very  vertical  have  to  become  hori¬ 
zontal  and  blur  more  across  roles. 

What  skills  are  clients  demanding  from 
the  CIOs  they  hire  in  part  to  handle  is¬ 
sues  reiated  to  the  Sarbanes-Oxley  Act? 

The  skills  are  about  knowing  the  regulations  and 
the  requirements,  as  well  as  leadership  skills 
and  how  to  implement  this  with  an  existing  staff 
or  an  augmented  staff.  It  isn’t  just  about  imple¬ 
menting  Sarbanes,  but  dealing  with  the  sophisti¬ 
cated  controls  and  processes  that  are  required. 

Some  studies  suggest  that  CIOs  are  ex¬ 
periencing  longer  tenure  than  CEOs  and 
CFOs.  Does  this  map  with  your  experi¬ 
ence?  If  so,  what  are  the  factors  that  are 
contributing  to  this?  I’ve  not  seen  statistics. 

If  we  accept  the  notion  that  CIO  tenure  is  on  the 
rise,  what’s  happening  now  is  that  the  require¬ 
ments  of  companies  to  not  only  have  systems 
to  run  the  business  but  to  meet  the  regulatory 
requirements  are  requiring  our  clients  to  com¬ 
mit  to  being  with  this  person  for  a  significant 
period  of  time. 

There  was  a  lot  of  turnover  when  all  of  the 
ERPs  weren’t  achieving  the  results  they  were 
expected  to.  But  I  suspect  it’s  becoming  less 
and  less  of  an  issue,  and  the  depth  and 
breadth  of  a  CIO  is  becoming  key  to  compa¬ 
nies  long  term. 


Page  compiled  by  Jamie  Eckle. 
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IT  Pay  and  Offshore  Disillusionment 


FOOTE  PARTNERS  LLC  found  signs  of 
strong  pay  growth  for  several  IT  skills  in  a 
survey  of  some  50,000  IT  professionals 
that  was  released  last  month.  The  New 
Canaan,  Conn.-based  research  firm  sees 
this  upward  trend  as  evidence  that  offshore 
outsourcing  is  no  longer  holding  down  IT 
salaries  in  the  U.S.,  as  it  was  as  recently  as 
last  year.  Says  David  Foote,  the  firm's  co¬ 
founder.  president  and  head  of  research. 
“Companies  have  become  more  aware  of 
the  difficulties  in  doing  offshoring  success¬ 
fully  and  achieving  anticipated  cost  sav¬ 
ings.  They’re  once  again  investing  in  their 


own  people  to  build  and  maintain  systems 
critical  to  their  business  strategies.  And 
they’re  using  competitive  pay  to  attract  and 
hire  workers  with  the  right  combinations  of 
technical  and  business  skills  to  do  this." 

Pay  increases  were  especially  strong  for 
noncertified  IT  professionals,  but  they  have 
only  begun  to  make  up  the  ground  they 
have  lost  over  the  past  four  years.  Overall 
median  average  pay  for  89  noncertified 
skills  in  the  survey  grew  nearly  5%  for  the 
year  that  ended  July  1.  to  6.9%  of  base 
pay.  Over  the  past  four  years,  pay  for  such 
skills  has  declined  over  20%.  O  55698 
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2nd  Annual 

COMPUTERWORLD 


BUSINESS 

INTELLI6ENCE 

PERSPECTIVES 


Got  an  award-worthy 
business  inteliigence 
project? 

Submit  it  for  consideration 
by  August  1 2th! 


^^COMPUTERWORLD 

nswESs  imtiilneike  perspectives 

Best  Practices 

IN  BUSINESS  INTELLI6ENCE 


AWARDS  PROGRAM 


Visit  www.biperspectives.com 


Find  Real  Solutions  for  Achieving 
Business  Intelligence  Success 


September  26-28,  2005  •  Hyatt  Regency  at  Gainey  Ranch  •  Scottsdale,  Arizona 


Featured  Speakers  Include: 


H  JAMES  A.  BELL 

General  Manager,  Operating  Services 
Union  Pacific  Railroad 

HJON  FARRAR 

Vice  President,  Predictive  Modeling 
Union  Bank  ot  California 


The  Leading  Executive 
Conference  for: 

•  Business  Intelligence  Applications 

•  Performance  Management 

•  Risk  Management 

•  Analytic  Technologies 


TONY  FULLER 

Vice  President  &  Chief  Information  Officer 
Rent-A-Center 

ANDY  GEORGE 

Senior  Vice  President  of  Technology 
Profifline 

«  ROBERT  GRAY 

Vice  President  Infrastructure  Metrics 
Bank  of  America 


B  BRIAN  HiCKIE 

Vice  President  Business  Intelligence 
McKesson  Corporation 


BARBARA  KINDEL 

Vice  President  IS  Solutions  Engineering 
Calpine 


STACY  J.  SMITH 

Vice  President  &  Chief  information  Officer 
Intel 


•  Data  Warehousing  and  Mining 

•  CRM  and  ERP 

•  Regulatory  IT 

•  Best  Practices  in  Bl 

To  register  or  for  more  information, 
visit  www.blperspectives.com/cw 


Pre- Conference  Golf  Outing 


Complimentary  for  Registered  IT  End-Users 

Pre-Conference  Golf  Outing  at  the  Gainey  Ranch 
Golf  Club  on  Monday,  September  26th  at  1 2:45pm 


See  solutions  from  companies  including; 
CONFERENCE  UNDERWRITER 


Sif 

THE  NEXT  LEVEL 
OF  PERFORMANCE^'* 


Owned  and  Produced  by 

COMPUTERWORLD 


(as  of  8/4/05) 


PLATINUM  SPONSORS 


Business  Objects' 


Infennation 

Builders 


LAWSON’  ORACLG' 


JlS^ 

The  f\mer  to  Ktunv, 


COMPUTERWORLD 


MEDIA  &  ASSOCIATION  SPONSORS 


For  sponsorship  opportunities,  call  John  Amato  at  508-820-8279 
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OEC  TRACK 


Morrison  to  Head 
Motorola  IT 

Motorola  Inc.  in  Schaumburg,  III., 
has  appointed  PATRICIA  B.  MOR¬ 
RISON  senior  vice  president  and 
CIO.  Morrison  most  recently 
served  as  CIO  at  Office  Depot  Inc. 
Previously,  she  was  CIO  at  The 
Quaker  Oats  Co.  and  at  GE  Indus¬ 
trial  Systems. 


McCarthy  Gets  Nod 
As  Aetna  CIO 

Aetna  Inc.  in  Hartford,  Conn.,  has 
named  MARGARET  McCARTHY 
senior  vice  president  and  CIO,  re¬ 
sponsible  for  Aetna  Information 
Services.  Previously,  McCarthy 
was  vice  president  and  head  of 
business  solutions  delivery. 


McAfee  Picks 
Decker  as  CIO 

McAfee  Inc.,  a  provider  of  IT  se¬ 
curity  software  in  Santa  Clara, 
Calif.,  announced  that  RICHARD 
J.  DECKER  has  been  appointed 
CIO.  Previously,  Decker  was  CIO 
at  Mentor  Graphics  Corp.  and  at 
Measurex,  a  process  control  com¬ 
pany  that’s  part  of  Honeywell  Inc. 


Tufts  University 
Names  Tynan  CIO 

Tufts  University  in  Medford, 

Mass.,  announced  the  appoint¬ 
ment  of  AMELIA  TYNAN  as  CIO 
and  vice  president  for  IT,  effective 
Sept.  1.  Tynan  is  currently  vice 
provost  and  CIO  at  the  University 
of  Rochester  in  New  York. 


Air  Force  CIO 
Tapped  by  SRA 

SRA  International  Inc.,  a  Fairfax, 
Va.-based  provider  of  IT  services 
and  software  to  federal  govern¬ 
ment  organizations,  announced 
the  appointment  of  JOHN  M. 
GILLIGAN  as  vice  president  and 
deputy  director  of  the  company’s 
defense-related  operations.  Pre¬ 
viously,  Gilligan  was  CIO  at  the 
U.S.  Air  Force.  He  also  served  as 
CIO  at  the  Department  of  Energy. 


BART  PERKINS 


The  Elusive 
Executive  Sponsor 


O  NE  OF  THE  biggest  predictors  of  project 
and  program  success  is  having  an  effec¬ 
tive  executive  sponsor.  This  is  the  senior 
executive  who  “owns”  the  program  and 
is  responsible  for  making  sure  iPs  suc¬ 


cessful.  The  executive 
sponsor  is  typically  the  one 
who  proposed  the  program 
and  whose  business  unit  or 
organization  will  receive 
the  majority  of  the  pro¬ 
gram’s  benefits.  To  be 
effective,  he  must  have 
enough  clout  to  make  any 
business  process  or  organi¬ 
zational  changes  the  pro¬ 
gram  requires.  If  your  pro¬ 
gram  has  a  missing,  weak 
or  superficially  involved 
executive  sponsor,  failure 
is  almost  inevitable. 

If  it’s  difficult  to  identify 
who  the  executive  sponsor 
should  be,  something  about 
the  proposed  program  may  need  to 
change.  For  example,  when  a  major 
program  crosses  several  organization¬ 
al  boundaries,  it  may  be  advantageous 
to  break  it  into  individual  programs, 
each  with  its  own  executive  sponsor. 

Alternatively,  the  problem  may  be 
a  flawed  organizational  structure. 

One  client  of  mine  recognized  that  its 
worldwide  distribution  system  was  in¬ 
effective  and  overly  expensive.  Since 
each  region  controlled  its  own  logis¬ 
tics,  no  one  owned  the  entire  process. 
The  client  had  to  pull  logistics  out  of 
the  business  units  and  create  a  corpo¬ 
rate  worldwide  logistics  organization 
in  order  to  revamp  its  distribution  sys¬ 
tem  successfully. 

Even  after  an  appropriate  executive 
sponsor  has  been  identified,  he  may 
still  resist  taking  responsibility  for 
the  program.  An  executive  may  be 
reluctant  to  serve  as  sponsor  for  a 


number  of  reasons: 

■  He  is  skeptical  about  the 
business  case.  Make  sure 
you  both  have  done  your 
homework  and  all  the  data 
is  correct.  Then  work  with 
the  executive  sponsor  to 
revise  the  business  case 
data  until  you  both  agree. 
If  the  executive  sponsor 
can’t  be  convinced  of  the 
program’s  viability,  you’ll 
get  lukewarm  support  at 
best.  Be  prepared  to  walk 
away  from  the  program. 

■  He  doesn’t  feel  sufficient 
pain.  If  the  executive  spon¬ 
sor’s  business  unit  is  meet¬ 
ing  all  of  its  targets,  he  may 

not  believe  that  the  new  program  will 
be  worth  the  disruption  it  will  cause. 
Determine  whether  the  program  will 
contribute  to  some  personal  win  for 
the  executive  sponsor.  If  the  personal 
win  is  large  enough,  the  executive 
sponsor  may  be  enticed  to  sign  up. 

■  He  believes  it’s  an  IT  program.  Even  to¬ 
day,  some  executives  believe  that  any 
program  involving  computers  is  the 
responsibility  of  IT,  Try  to  educate 
your  targeted  sponsor  so  that  he  sees 
the  effort  as  a  business  program  that 
is  IT-enabled.  I  have  recently  seen  a 
number  of  IT  organizations  respond 
to  this  problem  by  attempting  to  spon¬ 
sor  major  business  programs  alone. 

IT  can  rarely  push  a  business  program 
through  a  corporation  successfully, 
however.  The  majority  of  these  pro¬ 
grams  are  doomed  to  failure  and 
should  be  canceled  before  they  waste 
precious  funding. 


1  partner  fit  Lnuisvllie,  ; 
^Hy,-based  Leverage  Part-, 

I'  nerfs  Ip,g.,  which  helps  ' 
organizations  invest  well 
in  IT.  He  was  previously  ^ 
GiO  at  Tricon  Globa!  « 
.  Rsjjtaurants  Inc.  and 
Ooie  Food  Co.  Contact , , 
him  at  BartRsrKins®  "4 
LeveragePai'tiiers.cam. 
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■  He  isn’t  supporting  the  program  for  politi¬ 
cal  reasons.  If  you  believe  that  the  exec¬ 
utive  is  posturing  or  is  afraid  of  his 
peers’  reactions,  call  his  bluff  by 
threatening  to  cancel  the  program. 

You  will  quickly  discover  whether 
the  objections  are  genuine. 

■  He  faces  personal  challenges.  If  an  ex¬ 
ecutive  is  close  to  retirement  or  facing 
personal  difficulties  such  as  a  divorce 
or  serious  illness,  he  may  not  want  to 
take  on  another  major,  multiyear  chal¬ 
lenge.  In  these  cases,  it’s  best  to  wait 
until  the  crisis  has  passed  or  the  exec¬ 
utive  has  been  replaced. 

■  He  lacks  the  requisite  experience.  The 
executive  may  not  fully  understand 
the  responsibilities  of  an  executive 
sponsor,  or  he  may  feel  that  his  exper¬ 
tise  is  insufficient.  Offer  to  supply  the 
appropriate  project  management  skills 
in  return  for  his  financial  and  political 
support  of  the  program.  This  can  be 
advantageous  to  IT  because  it  ensures 
that  the  project  manager  will  under¬ 
stand  the  IT  side  of  the  business. 

An  involved  and  committed  execu¬ 
tive  sponsor  is  critical  to  program  suc¬ 
cess.  There’s  old  joke  that  at  a  bacon- 
and-eggs  breakfast,  the  chicken  is  in¬ 
volved,  but  the  pig  is  committed.  A 
good  executive  sponsor  must  be  both. 

If  he  is  involved  but  not  committed, 
you  will  get  lip-service  support  at  best. 
If  he  is  committed  but  not  sufficiently 
involved,  the  program  will  suffer  and 
probably  fail. 

Don’t  pursue  a  path  that  is  doomed 
from  the  start.  Do  everything  possible 
to  acquire  the  necessary  executive 
support  for  major  programs  upfront.  . 
Without  the  leverage  provided  by  an 
effective  executive  sponsor,  you  might  . 
as  well  cancel  the  program  and  invest 
your  dollars  more  wisely  elsewhere. 

O  55508 

WANT  OUR  OnNION? 

©For  more  columns  and  links  to  our  archives,  go  to 

www.computerworid.com/opinions 


Got  an  enterprise 
management  solution 
so  good  it’s  worthy 
of  an  award? 


Nominate  it  for  Computerworld’s 
“Best  Practices  in  Enterprise 
Management”  Awards  Program! 

Computerworld  and  the  DMTF  are  seeking  IT  user-organization 
and  data  center  case  study  submissions  for  recognition. 

Awards  will  be  presented  in  each  of  the  following  five  categories: 

•  Distributed  Systems  and  Infrastructure  Implementation 

•  Security  and  Risk  Management 

•  Industry  Regulation  Compliance  and  Corporate  Governance 

•  Managing  to  Improve  TCO/ROI 

•  Innovation  and  Promise 

Nominations  are  welcomed  from: 

•  IT  Users/Implementers 

•  Systems  Integrators/Consultants 

•  IT  Vendors  (on  behalf  of  customers,  or  their  own  in-house  deployment) 

•  PR  Firms  (on  behalf  of  clients) 

Multiple  submissions  of  case  studies  describing  different  deployments  per  company/organization  will  be  considered. 
All  qualified  IT  user  nominees  will  be  provided  with  complimentary  VIP  event  registration.  IT  end-user  award  winners 
will  be  honored  at  Enterprise  Management  World,  September  12-14,  2005,  at  the  Bethesda  North  Marriott  Hotel 
and  Conference  Center  in  North  Bethesda,  Maryland.  Awards  will  be  presented  in  each  of  the  five  categories. 

An  honorable  mention  will  also  be  recognized  in  each  category. 

Winners  will  be  recognized  on  the  event  website  and  provided  with  promotional  opportunities. 
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AWARDS  PROGRAM  SPONSORED  BY: 


EMC' 

where  information  lives 


Submit  your  nomination  online! 

You’ll  find  the  nomination  form  and  learn  more  about 
Enterprise  Management  World  at:  www.emwusa.com 

But  hurry!  The  deadline  is  Friday,  August  1 2th  at  9:00pm  Eastern  time. 
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The  Voice  of  IT  Management 


The  Authority  on  Distributed  Management 
Technologies  and  Standards 
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Optimizing  Public  Television’s 
Content  Supply  Chain 
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Last  one  on  board  the  IT  train... 

•  Television  is. 

•  Bandwidth  intensive 

•  Extremely  latency  sensitive 

■  CPU  cycle  nog 

•  Extremely  risk  averse 

•  Super  Bowl  spot  >  $2,000,000 

■  Buy  automation  .  operate  It  manuaVylM 

•  Lagging  in  the  leveraging  of  IT  technology 
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Get  Smart  About  Storage 

This  new  report  offers  praetieal 
adviee  about  saving  money,  protecting 
data  and  implementing  information 
life-eyele  management. 

store.computerworld.com/re/storageOl.htm 


Storage  -  Optimizing  Public 
Television’s  Content  Supply  Chain 

In  this  webcast  from  Storage  Networking 
World,  Andre  Mendes  of  PBS  discusses 
some  of  his  organization’s  unique  storage 
distribution  and  delivery  issues. 

www.computerworld.com/webcast01 
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IT  careers 


Computer  Systems  Analyst 

A  DC  based  IT  company  is  seek¬ 
ing  a  computer  systems  analyst 
for  performing  analysis  and 
implementation  of  new  and 
existing  codes  and  computer 
applications.  Duties:  Analyze 
user  requirements,  develop 
code  base,  plan  and  prepare 
program  specifications:  review 
computer  systems  capabilities, 
supervise  computer  program¬ 
mers.  BS  in  comp  science/engi¬ 
neering  and  min  2  yrs  exp 
required.  Knowledge  of  C++, 
Java.  MS  SQL.  Oracle.  Salary  in 
the  low  $50,000.  Email  resume 
to  bconforti@eastbanctech.com. 


Programmer  Analyst  needed 
w/2  yrs  exp  to  perform  system 
analysis,  performance  tuning  of 
operating  systems  &  application. 
Develop  applications  using 
Oracle,  Developer  2000,  Forms, 
Reports  &  Documentation  on 
Windows  NT  &  HP-UX  operating 
systems.  Develop  PL/SQL  pack¬ 
ages,  stored  procedures,  data¬ 
base  triggers  &  libraries.  Use 
Explain  from  optimization  of 
PL/SQL  code  using  SQL'PLUS, 
PROC*C.  SQL'LOADER,  SQL 
Forms  &  Reports.  Mail  resumes 
to:  Compu-Solve,  Inc.,  306  5th 
Ave,  3rd  Fir.,  NY,  NY  10001.  Job 
Loc:  NYC  or  in  any  unanticipat¬ 
ed  locations  in  US. 


System  Administrator  (Em¬ 
eryville,  CA)  Manage  & 
admin  Linux  servers  (So¬ 
laris,  UNIX,  IRIX).  Knowl  of 
networking  technologies, 
back-up/recovery,  &  secu¬ 
rity  issues.  BS  or  equiv  in 
Comp  Sci  or  related  field  & 
lyr  exp.  8-5,  40  hrs/wk. 
Resumes  to  SysMaster 
Corp,  5801  Christie  Ave., 
#400,  Emeryville,  CA 
94608.  Principals  only. 
EOE. 


ATTENTION: 

Law  Firms 
IT  Consultants 
Staffing  Agencies 


Place  your 
Labor  Certification 
ads  here! 

Am  you  fmquenOy  freeing 
hg^immigration  advertisements? 
Let  us  help  you  put  together  e 
cost  ef^ive  program  that  will 
make  this  time-consuming 
task  a  little  easier 

Contact: 

800-343-6474  Ext  8127 

iTlcareers 


ObjectWin  seeks  System  Analy¬ 
st,  DBA  or  other  IT  profession¬ 
als.  Applicants  must  have  MS/ 
BS  or  equivalent.  Skills  in 
ASP.Net,  B2B,  VB,  Java,  HTML, 
VB.Net,  XSL,  CSS,  MS  CMS, 
SSL  &  MS  preferred.  Good 
wage.  Travel  required  for  some 
jobs.  Apply  at  skarande@Qbiect 
win.com.  EOE.  No  calls. 

Techgene  Solutions  has  open¬ 
ings  for  Software  Engineers, 
System  Analysts,  DBA.  Must 
have  MS/BS  with  experience. 
Skills  In  Cobol,  JCL,  Oracle, 
SQL,  VB,  C/C++  are  plus.  Travel 
may  be  required  for  some  posi¬ 
tions.  Competitive  salary.  Please 
apply  at  contact@techaene.com. 
No  calls.  EOE. 


Desert  Valley  Hospital,  locat¬ 
ed  in  Victorville,  CA,  seeks  a 
Software  Engineer.  The  posi¬ 
tion  requires  a  Masters  De¬ 
gree  in  Computer  Applications 
or  Computer  Science  and  2 
years  experience  in  Complex 
Problem  Solving,  Systems 
Analysis  and  Technology 
Design  and  Troubleshooting. 
Fax  resumes  to  Betty  Harris, 
Director  HR  at  760-241-0363 
or  mail  resumes  to:  Desert 
Valley  Hospital,  16850  Bear 
Valley  Road,  Victorville,  CA 
92392,  Attn:  Betty  Harris, 


Systems  Analysts:  Design, 
develop  &  deployment  of  ex¬ 
isting  &  proposed  systems. 
Expert  in  .net  Technologies, 
web  services,  Documentum, 
INMAGIC,  com+.  Crystal 
reports  with  databases  SQL 
Server,  Oracle.  Need  Bach¬ 
elor  degree  in  Comp.  Sci¬ 
ence  or  Engg.  Or  related  and 
2  yrs  of  exp.  Send  resume  to: 
HR,  MSYS,  Inc.,  38930 
Blacow  Rd,  Ste  #  B, 
Fremont,  CA,  94536.  E-mail: 
info@msysinc.com. 


Network  Eng  w/  BS  in  Comp 
Sci  or  related  w/  min  2  yrs 
exp  in  Information  Technolo¬ 
gy.  Responsibilities  inci:  de¬ 
sign  &  support  WAN/LAN 
projects:  design,  maintain  & 
upgrade  databases;  db  ad¬ 
ministration  duties;  assist  in 
operation  of  system/network 
infrastructure  for  clients.  Re¬ 
sponsible  for  internet  &  co- 
nectivity  &  services  (Voice 
services,  VoIP,  PBX).  Fax 
resume  to  21  T  Consulting 
Inc,  NY,  NY  at  212-248- 
2104. 


Check  back  weekly  for 
fresh  job  listings  placed 
by  top  companies 
looking  for  skilled  IT 
professionals  like  you! 


IT 


careers 


800-762-2977 


Int'l  Species  Information  System 
in  Eagan/MN  seeks  the  follow¬ 
ing  IT  professionals  for  large 
global  animal-zoo-marine  info 
management  system;  (Job 
Code  11)  Computer/Info  Sys¬ 
tems  Mgr  with  10-year  IT  man¬ 
agement  of  larger  projects  incI 
1-yr  large  animal-zoo  info  sys¬ 
tem.  (Job  Code  12)  SW  Engin¬ 
eer  of  5-yr  SW  Engineer  experi¬ 
ence  +  Bach  in  CSi  or  CIS,  to 
work  with  MS  Sharepoint,  Java, 
UML,  .Net.  (Job  Code  13)  SW 
Engineer  of  Master  of  Csi  or  SW 
System/Eng  +  coursework  taken 
in  biology  and/or  chemistry  to 
work  on  large  marine/aquarium 
projects.  Application  should  In¬ 
clude  salary  requirement,  per¬ 
manent  emp  authorization. 
Job  Code  #  for  our  considera¬ 
tion.  Send  application  to  Ad¬ 
ministration  Mgr,  ISIS,  PO  Box 
21216,  Eagan,  MN  55121. 


Programmer  Analyst  w/Bach  or 
foreign  equiv.  in  Comp.  Sci  or 
Engg  or  Math  &  2  yrs  exp  to 
analyze,  dev,  dsgn  &  impimt 
multi-tier  &  internet  based  comp 
systms  using  MS  SQL  Server, 
Visual  Basic,  VB  Script,  HTML, 
Visio,  Rational  Rose,  Erwin, 
BPWin,  MS  Office  &  MS  IIS 
Web  server  on  WinNT.  Perform 
unit  testing,  systm  testing  & 
integration  testing  of  S/W  mod¬ 
ules  &  sub-routines  &  debug  the 
prgm  code.  Upgrade  &  manage 
systm.  Mail  res  to:  Rug  &  Home, 
Inc.  4  Factory  Shops  Blvd., 
Gaffney,  SC  29341  Job  loc: 
Gaffney,  SC. 


Web  Developer 

Develop  &  manage  E-com¬ 
merce  sites  including  trans¬ 
action  billing,  database  appli¬ 
cations  &  web  design.  Re¬ 
quires  experience  in  Wind¬ 
ows,  SQL,  ColdFusion/IIS 
servers,  ColdFusion  ASP, 
.Net,  T-SQL,  XML,  Java,  Ja¬ 
vaScript,  PHP,  Flash,  C#,  VB 
Script,  C/C+  &  HTML.  Must 
have  BS  plus  2  years  related 
experience.  Maii  resume  to 
Human  Resources,  PO  Box 
716,  Blue  Bell,  PA  19422. 


Computer  Support  Specialist 

JMU  Tax  and 
Financial  Services 

Configure  computers/networks 
and  install/update  soft/hard¬ 
ware.  Research  prod,  specs 
and  work  w/vendors.  Travel 
req'd  between  5  offices  in 
No.Va./DC.  Req:  reliable  car, 
clean  driving  record,  some 
nights/wknds.  Must  have  BS  in 
Comp  Info  Sys.  Fax  res  to  703- 
333-3009. 


Network  Engineer  needed  w/2 
yrs  exp  to  analyze  &  develop 
applications  using  Cisco,  Linux, 
VVindows,  2000/XP.  Implement 
LAN  networks  using  routers, 
switches,  hubs  CSU/DSU  on 
UTP/STP  Cat5/Cat6  cabling  in 
heterogeneous  network.  Con¬ 
figure  network  protocols  using 
TCP/IP,  IPX,  DHCP,  RAS, 
NetBIOS,  FTP  &  AppleTalk. 
Install  &  configure  IIS,  PWS, 
Apache  Web  Servers  &  Ms 
Exchange.  Mail  resumes  to: 
Compu-Solve,  Inc.,  306  5th 
Ave.,  3rd  Fir.,  NY,  NY  10001. 
Job  Loc:  NYC  or  in  any  unantic¬ 
ipated  locations  in  US. 


Software  Development  Engineer 
-  Ft.  Lauderdale,  FL.  Req. 
Master's  degree  in  comp,  sci¬ 
ence  or  comp.  eng.  Must  have 
software  development  exp.  in  a 
Windows  environ,  util.  C++,  VB¬ 
Script,  .Net  technology,  MSI  & 
MSP,  Must  pass  company's 
technical  review.  Research,  de¬ 
sign  &  develop  key  elements  of 
advanced  multi-user  software 
enterprise  applications  based  on 
a  Windows  environment  using  a 
thin-client  architecture.  Design  & 
develop  Install  programs  with 
advanced  configuration  capabili¬ 
ties  for  product  releases  util. 
C++,  VBScript,  .NET  technolo¬ 
gies,  MSI  &  MSP.  Forward  resu¬ 
me  by  e-mail  to  citrixrecruiting® 
citrix.com  or  by  mail  to  Citrix 
Systems,  Inc.,  851  W.  Cypress 
Creek  Road,  Ft,  Lauderdale,  FL 
33309.  Reference  job  code 
5162  in  subject  line  of  e-mail  or 
in  written  response.  EEO/AA 
Employer. 


Software  engineer  to  design, 
develop  and  test  computer  pro¬ 
grams  for  business  applica¬ 
tions;  analyze  software  require¬ 
ments  to  determine  feasibility  of 
design;  direct  software  system 
testing  procedures.  Require¬ 
ments:  Bachelor’s  Degree,  edu¬ 
cational  or  functional  (3  years 
experience=1  year  of  college) 
equivalent,  in  Engineering, 
Computer  Science  or  related 
field  and  two  years  experience 
as  a  software  engineer  or  com¬ 
puter  programmer.  Working 
Conditions:  8:00  A.M.  to  5:00 
P.M.,  40  hours/week,  involves 
extensive  travel  and  frequent 
relocation.  Apply:  Elite  Careers, 
LLC,  1910  Cochran  Rd,  Manor 
Oak  2,  Suite  230,  Pittsburgh, 
PA  15220,  Attn:  Stephanie 
Meixner,  Job  No  080205. 


Sr.  Systems  Analyst.  NYC,  NY 
MS-Comp  Sci  +  1  yr  exp  in  job 
or  as  Prgrmr  Aniyst.  Cnduct 
aniys  of  bus  reqmnt  &  oper 
prblm.  Dvip  s/ware  to  prvide 
optimal  time,  cost  &  Igistic 
solutn;  Study  &  dvIp  cstomzed 
budgt,  contract  &  invoice. 
Evluate  cost  prfrmnce;  Dsgn  & 
implemt  Intgrted  Prject  Mgt 
Systm;  Dvip  intrface  to  access  & 
trnsfer  data;  Setup  &  genrate 
rport  systm.  Skills  Req'd:  ASP, 
.NET,  HTML,  XML,  Oracle,  SQL, 
Oracle  Portal,  IIS  server,  and 
Crystal  Rport,  Prjecttalk,  Expedi¬ 
tion,  P3,  Cobra.  Send  Resume 
to  HR  Dept.,  4U  Services,  57  W. 
38th  St.,  11th  fl.  NY,  NY  10018. 


Technical  Support  Special¬ 
ist  Stockbridge  &  Macon, 
GA  -  Oversee  computer 
systems  operations  for  2 
restaurants.  Design  and 
maintain  systems  and 
coordinate  network  opera¬ 
tions.  BS  in  Computer 
Science  or  related  field. 
Salary  commensurate  with 
exp.  40  hrs/wk,  8  AM-  5 
PM,  M-F.  Mail  resume  to: 
Tarek,  Inc.,  3675  Hwy  138, 
Stockbridge,  GA  30281. 


Software  Engineers,  qualified, 
sought  by  Symphony  Media 
Systems  for  dsgn,  dvipmt,  test¬ 
ing  &  impimtn  of  s/ware  for  dis¬ 
tribution  of  digital  media  to 
MDUs.  Req  MS/BS  deg  in 
Comp  Sci,  or  related  field  w/ 
exp  in  C/C++,  Java,  Perl,  Shell 
Scripting,  SQL,  PostgreSQL, 
TCP/IP,  Posix  Thread  Library, 
Unix  Sockets/IPC,  System  Lev¬ 
el  Dvipmt,  QA.  M-F,  40  hrs/wk. 
Comp  salary  &  benefits  pack¬ 
ages.  Resume  to:  Ref-SA, 
9033  East  Easter  Place,  #205, 
Centennial,  CO  80112,  or  email 
to  sms@symphony-media.com. 


ACI  Worldwide,  a  subsidiary  of 
Transaction  Systems  Architects 
(TSA),  has  an  opportunity  for  an 
experienced  Modeler  to  join  our 
team  in  our  Providence,  Rl 
office. 

This  position  will  be  part  of  a 
team  building  state  of  the  art 
predictive  models.  The  success¬ 
ful  candidate  will  have  the  fol¬ 
lowing  minimum  qualifications: 
Master's  Degree  or  Ph.D  - 
Applied  Statistical/Mathematics. 
Electrical  Engineering,  Physics, 
Bioinformatics,  Computational 
Chemistry  or  related  fields. 
Must  have  1+  years  industry  or 
academic  experience  in  mathe¬ 
matical/statistical  modeling.  May 
include  direct  experience  with 
neural  networks,  machine  learn¬ 
ing,  pattern  recognition,  or  data 
mining/data  analysis  of  real 
world  problems.  Must  have 
good  understanding  of  statistical 
&  mathematical  concepts  &/or 
neural  network  design,  imple¬ 
mentation  and  installation.  Good 
written  &  oral  communication 
skills.  Must  have  high  attention 
to  detail.  Proficiency  in  SAS, 
MATLAB,  SQL  &  C,  C++.  Exper¬ 
ience  with  a  relational  database 
using  SQL.  Must  be  a  seif  starter 
&  able  to  complete  a  large  pro¬ 
ject  from  problem  definition  to 
solution  to  results  analysis.  Must 
have  strong  knowledge  of  pre¬ 
dictive  software.  Familiar  with 
some  of  the  latest  modeling 
techniques  &  tools.  Submit 
Resume  to  JJ  Hansen,  HR,  ACI 
Worldwide,  330  S. 108th  Ave., 
Omaha,  NE,  68154-5666. 


Computer 

As  an  industry  leader,  we  are 
able  to  provide  our  people  with 
the  kind  of  work  environment 
others  can't  match.  We  are  look¬ 
ing  for  the  following  IT  profes¬ 
sionals  with  >1  year  experience, 
in  our  New  York,  New  Jersey,  Illi¬ 
nois,  and  Pennsylvania  offices; 

Programmer/Analyst;  Systems 
Analyst;  Database  Adm.;  Data¬ 
base  Analyst;  LanA/Van  Adm.; 
Software  Engineer;  Web  Devel¬ 
oper;  Data  Warehousing  Archi¬ 
tect;  Business  Analyst;  Solutions 
Sales  Execs;  QA/Tester;  QA 
Analyst;  Technical  Recruiter. 

Needed  skill  sets: 

Client/server,  ERP-SAP,  Oracle, 
PeopleSoft,  Internet,  E-Com¬ 
merce,  Mid-Range,  AS/400, 
CRM-Siebel,  Data  Modeling. 

Please  e-mail  your  resume  to: 
47711-CW@RESUMEPROS 
.NET  referencing  Job  Code; 
PrintAdCWI.  We  are  an  Equal 
Opportunity  Employer,  M/F/D/V. 

www.rcgit.com 

RCG  Information  Technology 


Calif  based  IT  co  has  open¬ 
ings  at  its  Torrance,  CA  and 
Chicago,  IL  ofes  and  at  unan¬ 
ticipated  client  sites  across 
the  US  for  Software  Eng. 
Responsible  for  custom  pro¬ 
gram  development  and  imple¬ 
mentation  and  system  analy¬ 
sis  and  design.  Will  provide 
software  support  to  clients 
that  includes  testing,  debug¬ 
ging  and  modifying  software. 
Bach  degree  req'd.  Mail 
resumes  to  RJT  Compu- 
quest  Inc.,  23430  Hawthorne 
Blvd,,  #305,  Torrance,  CA 
90505,  Attn:  HR. 


Programmer  Analyst:  develop 
client/server  &  web  appis  on 
Win2000/Unix  including  Forms 
/Reports,  stored  procedures, 
functions/packages,  ad-hoc 
query/Discoverer,  code  migra¬ 
tion,  coding  standards  &  config 
mgmt,  legacy  sys  data  to 
Oracle  db,  and  Oracle  ct/sr 
appi  to  3-tier  web  appl.  Re¬ 
quire  BS/BA  (or  equiv.edu/exp) 
in  Comp  Sc,  Engr.,  or  MIS  plus 
2-yr  exp.  Full-time.  Resume  to: 
Ann  Marr,  HR-106,  World  Wide 
Technology,  Inc.  60  Weldon 
Pkwy,  St.  Louis.  MO  63043. 
NO  CALUEOE. 


Project  Manager 

Manage  computer  projects  for 
major  clients  throughout  the 
United  States  including  technical 
definition,  budgeting,  client  rela¬ 
tions,  and  completion;  manage 
projects  involving  the  develop¬ 
ment  and  implementation  of 
multi-tiered,  Internet/Intranet/ 
Client  Server  based  multi-user, 
Re-engineering/Conversion  ap¬ 
plications;  manage  systems  an¬ 
alysts,  business  anaiysts  and 
support  staff:  audit  applications 
quality  to  ensure  adherence  to 
Quality  Management  Systems 
(SEI-CMM  Level  2  or  above); 
manage  the  development  and 
execution  of  testing  plans,  user 
acceptance  tests  and  user  train¬ 
ing;  and  perform  Capacity  Plan¬ 
ning  for  applications.  Manage¬ 
ment  of  applications  includes 
utilization  of  proficiency  in  Ja¬ 
karta  Tomcat  and  JBoss  Applica¬ 
tion  Server;  Oracle:  Web  Servic¬ 
es,  SOAP,  WSDL,  ebxmlrr,  Java, 
J2EE;  travel  to  client  sites  from 
Monday  through  Friday.  Must 
have  a  Master's  Degree  or  for¬ 
eign  equivalent  in  Computer 
Science,  Engineering  or  a  relat¬ 
ed  field  and  three  years  of  expe¬ 
rience  in  systems  analysis  or  in 
a  related  occupation  or  a  Bach¬ 
elor’s  Degree  or  foreign  equiva¬ 
lent  in  Computer  Science,  En¬ 
gineering  or  a  related  field  and 
five  years  of  progressive  experi¬ 
ence  in  systems  analysis  or  a 
related  occupation.  If  interest¬ 
ed,  submit  resume  in  duplicate 
to: 

Ms.  Sandy  Pruitt 
NUT  Technologies  Inc. 

1050  Crown  Pointe  Parkway 
Suite  500 

Atlanta,  Georgia  30338 


SAP  Technical  Professionals: 
Analyze,  dsgn,  dvip,  impit  & 
trouble  shoot  SAP  applies,  infra¬ 
structure  &  interfaces.  Dsgn, 
map  &  dvip  interfaces,  using 
some  of  the  following  SAP  ALE, 
EDI,  Business  Connector  &  Mer¬ 
cator,  SD.  MM.  Fl,  CO,  PS,  QM, 
PP,  PM,  my  SAP.com,  CRM, 
BW.  SAP  GL,  SEM,  SAP  R/3, 
SAP  4.6c,  4.6B,  2.0B  &  CRM- 
2.0C.  Dsgn  &  dvip  web  inter¬ 
faces  for  SAP  applies.  Perform¬ 
ance  tuning,  monitoring  &  opti¬ 
mizing  of  applies.  Impimt  &  opti¬ 
mizing  of  applies.  Impimt  chan¬ 
ge  Mgmt  of  develpmt  objects  be¬ 
tween  multi-system  landscape. 
Formulate  specs,  documenta¬ 
tion.  Analyze  &  impimt  version 
upgrades.  Prep  time  &  cost  esti¬ 
mates  using  SAP  solution  Mgr. 
Define  testing  strategy,  security 
&  stress  test  for  business  pro¬ 
cesses.  Dsgn,  impimt  backup 
recovery  procedures.  Req.  Mas¬ 
ters  or  equivalent  in  Computer 
Sci.,  MIS,  CIS,  Engineering  (any 
field).  Business,  Technology, 
Mathematics  or  related  fields 
with  a  min  of  2  yrs  of  related 
exp.  for  Senior  Professionals 
and  Bachelor's  or  equivalent  in 
Computer  Sci,  MIS.  CIS,  Engin¬ 
eering  (any  field).  Business, 
Technology,  Mathematics  or 
related  field  with  a  min  of  1-2  yr 
of  related  exp.  for  Professionals. 
Any  suitable  combination  of  edu¬ 
cation.  training  &/or  exp  that 
equates  to  min  reqmts  also  ac¬ 
ceptable.  Top  $$.  Resp:  HR  Mgr, 
Genesis  Corporate  Solutions. 
LLC,  150  Presidential  Way, 
Suite  230,  Woburn.  MA  01801 . 


Manager  (Data  Systems):  York. 
ME-Informatic  Technologies  Inc 
a  software/healthcare  consulting 
company  has  multiple  openings 
for  experienced  professionals  to 
plan,  direct,  coordinate  activities 
in  data  warehousing  using  Infor- 
matica.  Brio,  Essbase.  Crystal 
Reports.  Translating  business 
processes  into  planning  models, 
build  new  system  and  data  mod¬ 
els.  Streamlining  the  IT  process 
and  implementing  sophisticated 
system  with  remote  access  to 
Financial  reports  using  Oracle 
Financials,  Siebel,  Portal,  Soft- 
rax,  C++.  VC++.  We  offer  com¬ 
petitive  salaries  and  a  profes¬ 
sional  work  environment  For 
immediate  consideration  send 
resume  to;  Informatic  Technolo¬ 
gies  Inc.,  647  US  Rt  1.  Suite 
212,  PO  Box  2000,  York.  ME 
03909,  Attn.:  HR  Department 
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Cisco  Raw 

Basel,  Switzerland-based  drug 
maker.  “Vulnerabilities  will  al¬ 
ways  exist.  Organizations  have 
to  prepare  themselves  to  be 
able  to  protect  themselves.” 

Security  researcher  Michael 
Lynn  triggered  the  concerns 
two  weeks  ago  when  he  made 
a  presentation  about  the  router 
flaw  at  the  Black  Hat  confer¬ 
ence  in  Las  Vegas.  Cisco  and 
Atlanta-based  Internet  Securi¬ 
ty  Systems  Inc.,  Lynn’s  former 
employer,  had  tried  to  stop 
him  from  giving  his  scheduled 
talk  [QuickLink  55863]. 

Cisco  attempted  to  prevent 
the  information  from  spread¬ 
ing  by  securing  a  court  in¬ 
junction  against  Lynn  and 
getting  Black  Hat’s  organizers 
to  remove  his  presentation 
from  the  conference  proceed¬ 
ings.  But  several  security-ori¬ 
ented  Web  sites  posted  copies 
of  the  presentation,  prompt¬ 
ing  Cisco  to  issue  an  advisory 
on  July  29  in  which  it  urged 
users  to  upgrade  to  the  latest 
version  of  its  Internetworking 
Operating  System  software. 


Action  Plan 


Steps  for  dealing  with 
the  threats  to  Cisco’s  IDS: 

1.  INVENTORY  all  Cisco  routers 
in  your  IT  infrastructure. 

2.  IDENTIFY  routers  that  can 
be  upgraded  to  the  latest  version 
of  lOS,  and  develop  a  plan  for 
replacing  the  ones  that  aren't 
upgradable. 

i;  3.  SET  UP  A  UB  for  testing 

^ ,  the  new  lOS  images  that  will  be 
installed  as  part  of  upgrades. 

z 

lU 

x; 

i  4.  START  THE  UPGRADE 

Z '  process  with  the  routers  that  are 

§,  most  critical  to  your  operations. 

oi 

cn  i 

According  to  the  Cisco  advi¬ 
sory,  products  running  certain 
versions  of  lOS  are  vulnerable 
to  attacks  that  use  specially 
written  IP  Version  6  packets. 
Only  devices  that  have  been 
explicitly  configured  to  proc¬ 
ess  IPv6  traffic  are  affected  by 
the  flaw,  Cisco  said. 

The  information  Lynn  dis¬ 
closed  shows  how  malicious 
hackers  can  compromise 
routers  to  “stop,  redirect  and 


scramble  network  traffic,”  said 
Gene  Hodges,  president  of  IT 
security  vendor  McAfee  Inc. 
in  Santa  Clara,  Calif. 

“Up  to  now,  the  [security] 
community,  I  believe,  has 
somewhat  naively  assumed 
that  this  wasn’t  possible,” 
Hodges  added,  citing  the  com¬ 
plexity  of  attacking  routers. 

Potential  Reuse 

Although  the  updated  lOS 
version  isn’t  vulnerable  to  the 
hack  detailed  by  Lynn,  any 
newly  discovered  buffer  or 
heap  overflow  vulnerability  in 
the  software  could  be  exploit¬ 
ed  using  the  same  process, 
warned  Jian  Zhen,  director  of 
product  management  at  Log- 
Logic  Inc.,  a  Sunnyvale,  Calif.- 
based  vendor  of  tools  for  man¬ 
aging  network  data  logs. 

“That’s  the  most  scary  part 
of  this  whole  incident,”  Zhen 
said.  “The  vulnerability  is  dif¬ 
ficult  to  exploit  due  to  the 
technical  competency  re¬ 
quired.  But  all  it  takes  is  some¬ 
one  to  write  the  necessary 
shell  code,  and  ‘script  kiddies’ 
will  be  able  to  use  that  for  new 
vulnerabilities  discovered  in 
the  future.” 


Hackers  Bypass  Microsoft’s  Antipiracy  Checks 


MICROSOFT  CORP.  has  ac¬ 
knowledged  that  hackers  were 
quickly  able  to  bypass  a  process 
it  implemented  late  last  month 
to  ensure  that  users  trying  to 
download  software  updates 
from  its  Web  site  have  legiti¬ 
mate  copies  of  Windows. 

A  July  28  posting  on  the 
Being  Being  weblog  claimed  that 
a  JavaScript  command  string 
could  bypass  the  software-key 
check  in  Microsoft’s  Windows 
Genuine  Advantage  1.0  program. 
According  to  the  posting,  users 
can  override  WGA  by  pasting  the 
command  in  the  address  bar  of 
their  browser  and  pressing  Enter. 
The  code  “turns  off  the  trigger  for 
the  key  check."  the  posting  said. 

WGA  requires  users  to  run 


a  program  to  verify  that  their 
copies  of  Windows  aren’t  pirated 
before  they  can  use  Microsoft’s 
software  update  services.  Micro¬ 
soft  had  been  running  it  as  a  pilot 
program  since  last  September 
but  made  the  validation  process 
a  requirement  on  July  27. 

“Within  24  hours,  hackers 
claimed  to  have  circumvented 
the  process,  and  it  appears  that 
they  did,”  a  Microsoft  spokes¬ 
man  said.  He  added  that  the 
company  will  fix  the  flaw  that 
was  exploited  in  an  upcoming 
version  of  WGA. 

The  Being  Being  hack  isn’t 
the  only  way  to  get  around 
WGA’s  restrictions  that  has 
come  to  light.  David  Keller, 
founder  of  PC  consulting  and 


services  firm  Compu-Doctor  in 
Cape  Coral,  Fla.,  said  in  an  inter¬ 
view  conducted  via  e-mail  that 
he  was  able  to  change  his  Inter¬ 
net  Explorer  settings  to  bypass 
WGA.  He  discovered  means  to 
do  so  after  he  encountered  a 
flaw  in  the  program  that  flagged 
a  legitimate  product  key  on  a 
customer’s  copy  of  Windows 
XP  Professional  Service  Pack  2 
as  invalid. 

Keller  wrote  that  he  didn’t 
have  much  luck  working  with 
Microsoft’s  support  technicians, 
so  he  disabled  the  WGA  add-on 
within  the  browser’s  Internet 
Options  menu. 

-  Elizabeth  Montalbano 
and  Robert  McMillan, 
IDG  News  Sen/ice 


Resets  Users’  Web  Passwords 


CISCO  LAST  WEEK  said  it  was 
resetting  the  passwords  for  all 
registered  users  of  its  Web  site 
after  discovering  a  security  vul¬ 
nerability  in  its  search  engine 
software  that  left  those  pass¬ 
words  exposed. 

The  passwords  are  used  by 
Cisco  customers,  employees 
and  business  partners  who 
have  registered  to  get  access 
to  special  areas  of  the  Web  site 
or  receive  e-mail  alerts,  said 
Cisco  spokesman  John  Noh. 

Cisco  was  made  aware  of 
the  flaw  in  the  search  engine 
last  Monday  and  corrected  it 
immediately,  Noh  said.  He 
added  that  as  a  precaution,  the 
company  began  sending  out 
new  passwords  and  blocked 
users  from  accessing  the  pass- 


word-protected  areas  of  the 
Web  site  with  their  old  ones. 

According  to  Noh,  Cisco  offi¬ 
cials  don’t  think  the  vulnerabili¬ 
ty  could  be  exploited  to  gain 
access  to  any  sensitive  infor¬ 
mation,  such  as  the  company's 
source  code.  He  also  said  that 
the  security  hole  didn’t  affect 
any  of  the  products  or  tech¬ 
nologies  that  Cisco  sells. 

Cisco  uses  Google  lnc.’s 
software  to  power  the  main 
search  feature  on  its  Web  site, 
but  the  problem  didn’t  involve 
Google,  Noh  noted. 

“It’s  a  vulnerability  related 
to  a  Cisco  search  tool,”  he 
said.  “It's  part  of  the  Web 
application." 

-Robert  McMillan, 
IDG  News  Service 


Zhen  added  that  Cisco  needs 
to  do  “a  thorough  code  audit” 
to  identify  possible  overflow 
vulnerabilities  in  lOS  and  then 
eradicate  them.  “It  won’t  be  a 
simple  task,  and  it  will  take 
time,  but  not  doing  it  will  put 
the  Internet  at  risk,”  he  said. 

Even  so,  attacking  routers 
isn’t  easy  as  long  as  companies 
employ  the  right  defensive 
measures,  said  Lloyd  Hession, 
chief  information  security  of¬ 
ficer  at  BT  Radianz,  a  New 
York-based  provider  of  net¬ 
work  connectivity  services 
to  financial  firms. 

“The  first  tenet  of  router 
security  is  to  make  the  router 
inaccessible,”  Hession  said, 
noting  that  the  devices  should 
be  shut  off  from  the  Internet 
as  much  as  possible. 

For  instance,  putting  the 
command-and-control  routers 
that  actually  process  data 
packets  in  their  own  separate 
network  segment  can  make  it 
harder  for  hackers  to  access 
them,  said  Paul  Mockapetris, 
inventor  of  the  Internet’s  core 
Domain  Name  System  and 
chairman  of  IP  address  man¬ 
agement  vendor  Nominum 


Inc.  in  Redwood  City,  Calif. 

“That’s  why  carriers  run 
separate  control  networks,” 
Mockapetris  said.  “An  attacker 
has  to  first  get  on  that  net  be¬ 
fore  he  can  launch  an  attack. 
It’s  just  the  basic  principle  of 
multiple  lines  of  defense.” 

The  bigger  headache  for 
large  companies  from  the  lOS 
flaw  is  the  disruption  associat¬ 
ed  with  updating  vulnerable 
routers,  Hession  said.  BT  Ra¬ 
dianz  has  more  than  40,000 
routers,  the  vast  majority  of 
them  from  Cisco,  and  updat¬ 
ing  them  could  require  several 
months  of  planning,  testing 
and  scheduled  downtime, 
Hession  said. 

As  a  result,  he  noted,  patch¬ 
ing  decisions  need  to  be  bal¬ 
anced  against  the  mitigation 
measures  that  the  company 
already  has  in  place,  such  as 
address  masking,  out-of-band 
management  and  access  fil¬ 
tering.  €1 56022 
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What  are  thought  to  be  the  first  viruses  tar¬ 
geting  Microsoft’s  Vista  OS  have  surfaced: 

©QuickLink  56003 

www.compiiterworid.com 


ReriodiCdl  postage  patd  at  Framlnoham,  Mass.,  and  other  mailing  offices.  Posted  under  Canadian  International  Publication  agreement  #40063600.  CANADIAN  POSTMASTER;  Rease  return  undellverabie  copy  to  PO  Box  1632.  Windsor.  Ontario  N9A  7C9.  Computerworfd  (ISSN  0010*4641)  m  published 
weekly:  except  a  single  combined  issue  for  the  last  two  weeks  in  December  by  Computerworld.  Inc..  1  Speen  Street.  Box  9171.  Framingham.  Mass.  01701-9171.  Copyright  2004  by  Computerwortd  Inc.  All  rights  reserved.  Computerworld  can  be  purchased  on  microfiJm  and  microfiche  through  University 
Microfilms  Inc..  300  N.  Zeeb  Road.  Ann  Arbor,  Mich.  48106.  Computerworld  is  indexed.  Back  rssues.  if  available,  may  be  purchased  from  the  circulation  department.  F*hotocopy  rights:  permission  to  photocopy  for  internal  or  personal  use  Is  granted  by  Computerworld  lr>c.  for  libraries  and  other  user^regis* 
tered  with  the  Copyright  Clearance  Center  (CCC).  provided  that  the  base  fee  of  $3  per  copy  of  the  article,  plus  50  cents  per  page.  Is  paid  directly  to  Qopyright  Clearance  Center.  27  Congress  St..  Salem.  Mass.  01970.  Reprints  (minimum  100  copies)  and  per¬ 
mission  to  reprint  may  be  purchased  from  Renee  Smith.  Computerworld  Reprints,  c/o  Reprint  Management  Services.  Greenfield  Corporate  Center,  1808  Colonial  Village  Lane,  Lancaster.  Pa..  17601.  (717)  399-1900.  Ext.  172.  Fax:  (717)  399*8900.  Web  site: 
www.repnmbuyer.com.  E-mail:  ieprints®computerwortd.com.  Requests  for  missing  Issues  will  be  honored  only  if  received  within  60  days  of  Issue  date.  Subscription  rates;  $5  per  copy;  U.S.  -  $99.99  per  year;  Canada  -  $130  per  year;  Central  &  So.  America. 

$250  per  year;  Europe  -  $295  per  year;  all  other  countries  -  $295  per  year.  Subscriptions  call  toll-free  (888)  559-7327.  POSTMASTER:  Send  Form  3579  (Change  of  Address)  to  Computerworld.  F»0  Box  3500.  Northbrook,  III.  60065-3500. 


»rworld  lr>c.  for  libraries  and  other  users  regie- 


2nd  Annual 


ENTERPRISE 

MANA6EMENT 


WORLD 

SOLUTIONS  FOR  THE 
DATA  CENTER 


COMPUTERWORLD 


Got  an  a  ward- worthy 
data  center  project? 

Submit  it  for  consideration 
by  August  1 2thl 

b^camenmu 
^  BnanK  HtMtEMEKT  WNtl 

^Practices 

IN  ENTERPRISE  MAHABEMENT 


AWARDS.  PROGRAM 


Visit  www<«fflmisa.com/cw 


2005  Awards  nogram 
sponsored  by 

Mwrv  RiNMiiiniQn  ww 


Co-Owned  and  Endorsed  by 


DMTF'i 


Co-Owned  and  Produced 

COMPlinRWOlLD 


by 


Distributed  Management  Solutions 

for  Today’s  IT  Data  Center 

and  Infrastructure 


September  12-14,  2005  •  Bethesda  North  Marriott  Hotel  &  Conference  Center  •  North  Bethesda,  Maryland 


Featured  Speakers  Include:  Opening  Visionary  Presentation: 


Hjim  hull 

Vice  President,  Engineering  Services 
Mastercard  International 

JAiMESGUERRA 

Second  Vice  President  &  Chief  Architect 
Guardian  Life 


Dynamic  IT/Dynamic  Enterprise 

What  the  Next  Generation  IT  Looks  Like  and  How  Customers 
Are  Attacking  the  Migration 


a  FRANK  GENS 

Senior  Vice  President,  Research 
IDC 


H  JERRY  BARTLETT 

Vice  President  Application  Development 
Ameritrade 


BOB  CARROLL 

Chief  Information  Officer 

Apollo  Group  (The  University  of  Phoenix) 


CINDY  HUGHES 

Chief  Information  Officer 
Maryland  Automobile  Insurance  Fund 


H  MICHAEL  CRISAFULLI 

Vice  President,  Core  Services 
AOL  Systems  Operations 


The  Leading  Conference  for: 

•  Enterprise  IT  Management 

•  Data  Center  Management 

•  Networked  Server  and  Storage  Management 

•  Network  and  Communications  Management 

•  Infrastructure  and  Data  Architects 

•  Systems  Integration  Specialists 

•  Enterprise  Security  Management 

To  register  or  for  more  information, 
visit  www.emwusa.com/cw 


PLATINUM  SPONSORS 

A 

e«iiA*«na| 

everything 

EMC" 

where  information  lives 


GOLD  SPONSORS 

•  Ciiei  Stum 

cuena 

IlM  Intel. 

^Roritot 

Symantec. 

♦>Wy8QM 


SILVER  SPONSORS 
AvocenL  cyclades 

iM»u.'  Eel 


as  of  8/4/05 

MEDIA  &  ASSOCIATION  SPONSORS 

OMVIBnMIU) 


Ext^n&ion 

M  I  O  I  A 


•  IDC  Trainer 


HITACHI  -2  , 

. .  SNIA^— 


•BEST  PRACTICES’  AWARDS 
PROGRAM  SPONSORED  BY: 

EMC' 

where  tfiformation  Uves 


For  sponsorship  opportunities,  call  Leo  Leger  at  508-820-8212. 


S4  COMPUTERWORIO  August  8, 200S 


THE  BACK  PAGE 


www.computerworld.com 


FRANK  HAYES  ■  FRANKLY  SPEAKING 

Deliver  the  Goods 


The  biggest  idea  at  last  week’s  O’Reilly  Open  Source 
Convention  didn’t  have  anything  to  do  with  open- 
source  software.  At  least,  not  particularly  with  open- 
source.  The  idea  is  this:  You  drive  costs  out  of  IT  by 
identifying  commodity  functions  and  doing  them  more 
cheaply,  while  you  gain  business  advantage  with  IT  by  identifying 
unique  ways  you  can  assemble  IT  components  to  let  users  do  things 
your  company’s  competitors  can’t. 

Get  it?  Then  you’re  smarter  than  me.  I  had  to  hear  different  angles 


on  this  idea  from  a  half-dozen  people  before  I 
realized  they  were  all  actually  talking  about  the 
same  thing. 

And  it’s  really  not  an  open-source  idea.  Sure, 
you  can  decide  to  perform  a  commodity  func¬ 
tion  with  open-source  software  —  say,  Linux  or 
Apache  or  MySQL  —  if  that’s  cheaper  than 
whatever  you’ve  been  using.  But  instead,  you 
might  use  a  less-expensive  proprietary  software 
product.  Or  you  might  outsource  the  function. 
Or  refactor  a  process  to  make  it  cheaper  with¬ 
out  changing  the  technology  behind  it. 

That’s  the  competition  that  open-source  soft¬ 
ware  is  facing.  And  open-source  people  have 
figured  it  out.  Oh,  not  all  of  them  —  there  are 
plenty  of  code  jockeys  around  who’ll  never  care 
about  anything  at  a  higher  level  than  queue  op¬ 
timization  or  race-condition  resolution. 

But  companies  like  SourceLabs  and  Spike- 
Source  understand  that  they  can  drive  cost  and 
risk  out  of  open-source  “stacks”  —  collections 
of  software  that  perform  standard  functions.  No 
more  endless  some-assembly-required  fiddling 
to  figure  out  what  works  together  when  all  you 
want  to  do  is  some  commodity  IT  function. 
Commodities  shouldn’t  be  hard  or  expensive, 
because  they  offer  no  business  advantage  ex¬ 
cept  saving  money.  Yes,  open- 
source  people  have  figured  out  the 
virtue  in  being  cheap  and  easy. 

Cutting  costs  is  only  half  the  idea, 
though.  The  other  half  is  gaining 
competitive  advantage.  Businesses 
do  that  when  they  have  something 
their  competitors  don’t.  That  won’t 
be  something  they  can  buy  off  the 
shelf —  their  competitors  can  all 
buy  the  same  stuff.  And  that  some¬ 
thing  can’t  come  from  using  indus¬ 
try  best  practices,  because  everyone 
else  can  follow  the  same  recipes. 

Once.  IT  would  have  looked  for 


unique  advantage  by  writing  big  custom  appli¬ 
cations.  But  today  that  takes  too  long  and  is  too 
inflexible. 

Instead,  open-source-using  companies  like 
Google  and  Yahoo  have  figured  out  that  their 
secret  sauce  is  in  the  way  they  put  together 
pieces  of  IT  —  software,  hardware,  networks 
and  practices.  Anyone  can  acquire  the  gear 
these  companies  use.  How  they  put  it  together 
is  the  difference. 

And  why  they  put  it  together  that  way  is  the 
advantage.  A  clever  architecture  doesn’t  mean  a 
thing  if  it  doesn’t  help  salespeople  sell  more 
products,  HR  people  keep  employees  happier, 
managers  run  things  more  efficiently  or  execu¬ 
tives  steer  the  company  more  effectively. 

When  your  users  can  do  things  competitors 
can’t,  you  win  business.  When  IT  makes  that 
possible,  we’re  delivering  the  goods. 

Again,  that’s  not  an  open-source  idea.  Those 
IT  components  you  string  together  might  just 
as  easily  be  proprietary  or  homegrown  or  soft¬ 
ware  as  a  service.  Open-source  doesn’t  even 
have  to  be  in  the  mix. 

But  users  do.  They’re  the  ones  who’ll  dope 
out  the  business  end:  how  to  sell  a  little  more, 
how  to  manage  a  little  smarter.  And  annoying 
as  their  clever,  nonstandard  com¬ 
puter  tricks  might  be,  that’s  where 
you’ll  find  the  competitive  advan¬ 
tages  that  IT  can  support. 

And  that  will  happen  only  if  IT 
pays  attention  to  users  and  doesn’t 
fight  unusual  behavior,  but  turns  it 
into  secret  sauce  instead. 

That’s  the  big  idea.  And  it  raises 
an  even  bigger  question. 

If  the  open-source  crowd  can  fig¬ 
ure  out  the  relationships  between 
IT  commodities,  users  and  com¬ 
petitive  advantage,  why  can’t  we? 
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It  Doesn’t  Work  That  VWw 

Riot  fish  replaces  a  dumb  tenoina!  In  Ns  compsnif^ 
parts  department  virith  a  P0that’s  kx:kei  down 
runs  only  a  V\feb  browser  to  dosesmteu  warduusing  , 
software.  But  parts  mana^  doesn’t  fike  it  “  he  trfis  ' 
fish  to  reriKJve  the  mouse.  1  don't  warit  people  here  / 

wasiig  tirne  browsing  the  Intrariet’TTe^ys.  Th^ 
need  it  to  use  the  warehoi^ng  application,  fi^  points 
out,  and  thinks  he’s  finally  (X)nvinced  the  maBtager. 

Well,  not  exadly.  “When !  returned  later.  I  djsrxjwi^ 
the  manager  had  hidden  the  mouse  behind  the  ma¬ 
chine  to  stop  time-wasting  Net  surfing,"  fish  sighs, 

“as  well  as  use  of  the  Web  app.” 
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Yes,  You  Do 

User  complains 
that  her  nmwFC 
won’t  arxept 
iw  password, 
so  support  pilot  fish 
watches  her  type  it  in  - 
and  notices  user  doesn’t 
pre^  Enter  or  didt  OK. 
“See,”  user  says,  “mjfli- 
iim  happens.”  You  forgot 
to  press  the  Brter  key, 
fish  says.  Usen  “I  don’t 
need  to.”  Fish:  Yes,  you 
do.  User:  “No,  I  don’t.” 
“We  went  back  and  forth 
like  that  tor  a  minute,” 
fish  says,  “tiefore  I  gmre 
up  and  said,  ‘Welt,  you 
have  to  now.’ “ 

Dial  H  for  Huh? 

This  company  creates  an 
H:  drive  on  e^  PC,  and 
users  know  the  files  in  it 
are  automatically  backed 
up.  So  when  one  user 
calls  toe  help  d^  to  say 
he’s  lost  a  document 
from  his  H:  drive  and 
needs  it  restored,  pilot 
fish  is  puzzled.  “We 
checked  toe  backup 
tapes  and  there  was  no 
such  document,”  says 
fish.  “After  a  bt  of  in¬ 
vestigation,  it  turned  out 
the  user  had  created  toe 
document  on  his  home 
machine  and  created  a 
folder  called ‘H  drive’ - 
and  wanted  to  know  why 
we  didn't  back  it  up.” 


coiiegg  campus,  and  it 
looks  to  a  pilot  fteh  on 
toe  scene  film  toe  source 
is  a  networking  proUem. 
“I  suggested  to  toe  VP 
of  IT  that  he  condder 
paging  the  network  ad¬ 
ministrator,  who  was 
off-campus  at  the  time,” 
reports  fish.  Bafliod  vice 
president  responds,  “But 
i  can’t  page  Mm.  i  don’t 
hara  a  pager.” 

Something 

Missing 

Senior  manager  calls 
tech  support  pfiot  fish  hi 
a  panic:  “Your  guys  sup¬ 
posedly  cleaned  up  my 
virus,  but  it’s  back!  The 
pop-up  m^sage  says 
there’s  a  Rem-ved  virus 
on  my  PC!"  Fish  has 
never  heard  of  that  one, 
and  it  takes  some  work 
to  figure  out  why. 
“Turned  out  the  person 
who  did  the  virus- 
cleanup  job  sent  a  net 
send  message  to  the 
manager  saying  ‘Re¬ 
moved  virus  on  your 
PC.’ "says  fish.  “Unfor¬ 
tunately,  the  sender  left 
out  the  0  in  ‘removed,’ 
which  caused  an  the 
hullabaloo.” 


OTLL  SHRKY  YR  STRY.  Send  your  true  tale  of  ITHfe 
to  me  at  shatkyto»mputerworld.co(n.  You1i  score 
a  sharp  Shark  sNrt  if  I  use  it.  And  check  out  the  daily  feed, 
browse  the  Shatkives  and  sign  up  for  Shark  Tank  home 
deitvety  at  computarwofhLconVshaiky. 


Squander 


DB2.  ONLY  THE  PERFORMANCE  IS  HIGH. 

DB2  has  done  it  again.  According  to  a  Market  Magic  Study, 
DB2  costs  “on  average  22%  less  than  Oracle.”^ 

The  Transaction  Processing  Performance  Council  results 
show  that  DB2  and  eServer™  p5-595  are  more  than  twice 
as  scalable  as  Oracle  Real  Application  Clusters,  making 
them  the  overwhelming  performance  and  scalability 
leader  for  TPC-C.®  And  an  ITG  study  showed  overall  costs 
for  Oracle  Database  up  to  four  times  higher  than  DB2.® 

No  wonder  DB2  is  regarded  as  the  leading  database  built 
on  and  optimized  for  Linux!  UNIX*  and  Windows!  Like 
other  IBM  database  engine  products  such  as  Informix* 
and  Cloudscape7  DB2  is  part  of  an  innovative  family  of 
information  management  products  that  integrates  and 
can  actually  add  insight  to  your  data. 


It  takes  full  advantage  of  your  existing  heterogeneous 
and  open  environments,  while  its  leading-edge 
autonomic  computing  technology  means  increased 
reliability,  increased  programmer  productivity  and 
decreased  deployment  and  management  costs. 

One  more  thing:  Oracle  desupported  Oracle  Database  8i 
last  year,  meaning  potential  headaches,  higher  cost  or 
a  complete  migration  to  current  versions  of  Oracle. 
Fortunately,  IBM  offers  ongoing,  around-the-clock  service 
and  support  for  DB2. 

Why  not  move  up  to  middleware  that  makes  sense?  Now  you 
can  get  IBM  DB2  Universal  Database  or  Informix  by  taking 
advantage  of  our  extremely  compelling  trade-up  program. 
Visit  ibm.com/db2/swap  today  to  find  out  if  you  qualify. 
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IBM,  the  IBM  logo.  DB2,  eServer,  Informix,  Cloudscape  and  the  On  Demand  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United 
States  and  other  countries.  Unux  is  a  registered  trademark  of  Unus  Torvalds.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other 
countries.  UNIX  is  a  registered  trademark  of  The  Open  Group  in  the  United  States  and/or  other  countries.  Other  company,  product  and  service  narrtes  may  be  trademarks  or  service  marks 
of  others.  ©2005  IBM  Corporation.  All  rights  reserved,  '“Database  Comparative  Cost  of  Ownership,’  January  2003,  Market  Magic  Ltd.  'All  referenced  results  are  current  as  of  12/14/04.  DB2 
UDB  v8.2  on  IBM  eServer  p5  595  (64-way  POWER5  1.9  GHz)  and  AIX  5,3L:  3,210,540  tpmC  ©  $5.19/tpmC  available;  May  IS,  2005.  vs.  Oracle  RAC  lOg  on  HP  Integrity  rx5670  Cluster  64P 
(16  X  4-way  Intel  Itanium2  6M  1.5GHz):  1,184,893  tpmC  O  $5.52/tpmC  available:  April  30, 2004;  TPC  Benchmark,  TPC-C,  tpmC  are  trademarks  of  the  Transaction  Processing  Performance 
Council,  For  further  TPC-related  information,  please  see  hltp://www,tpc.org/.  '"IBM  Solutions  lor  PeopleSoft  Deployment  in  Mid-sized  Businesses  Quantifying  the  New  Cost/Benefit  Equation." 
July  2003.  International  Technology  Group.  Los  /Otos.  California. 


DON’T  LET 
SPYWARE 
SABOTAGE  YOUR 
ENTERPRISE. 


The  next  threat  is  no  threat  with  Trend  Micro. 

Expose  and  eradicate  spyware  with  Trend  Micro's  Enterprise-class,  multi-level, 
anti-spyware  solutions.  They're  the  only  solutions  that  block  and  clean  at  the  gateway — 
the  most  effective  point  of  control.  Trend  Micro.  #1  global  leader  at  the  gateway  and 
industry  pioneer.  Whether  it's  a  virus,  worm,  spyware,  or  spam,  we've  got  you  covered. 


For  a  FREE  evaluation  and  IDC  whitepaper, 
go  to  www.trendmicro.com/spyware 
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